Bekker's Blog

Blog archive

Concern Mounts About 'BlueKeep' Windows RDP Flaw

The Cybersecurity and Infrastructure Security Agency (CISA), the lead U.S. government unit on civilian cybersecurity, has joined the chorus of warnings about the "BlueKeep" Windows security vulnerability.

BlueKeep refers to a critical vulnerability in the implementation of the Remote Desktop Protocol (RDP) used by several older Windows operating systems, including Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008. BlueKeep's Common Vulnerabilities and Exposures (CVE) identifier is CVE-2019-0708.

Microsoft disclosed the vulnerability in mid-May and took the extraordinary step of providing patches for some of the involved operating systems that have fallen out of support -- Windows XP, Windows Vista and Windows Server 2003.

Because the vulnerability is pre-authentication and requires no user interaction, Microsoft at the time warned, "The vulnerability is 'wormable', meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017."

In an end-of-May blog post, the Microsoft Security Response Center repeated its warnings about the BlueKeep vulnerability in no uncertain terms. "It's been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we're out of the woods ... It is possible that we won't see this vulnerability incorporated into malware. But that's not the way to bet."

Earlier this month, the U.S. National Security Agency (NSA) issued a public warning of its own urging Windows administrators to apply the patch and update their systems. In the June 4 statement, the NSA wrote, "Although Microsoft has issued a patch, potentially millions of machines are still vulnerable."

Now comes the CISA warning, which also urges users and administrators to review Microsoft's advisory and "apply the appropriate mitigation measures as soon as possible." In addition to enumerating the previous concerns about the vulnerability -- such as a successful attacker's ability to add accounts with full user rights; view, change or delete data; or install programs -- CISA goes further with a discussion of its own tests.

"CISA tested BlueKeep against a Windows 2000 machine and achieved remote code execution. Windows OS versions prior to Windows 8 that are not mentioned in this Activity Alert may also be affected; however, CISA has not tested these systems," the alert states.

Attila Tomaschek, data privacy advocate at ProPrivacy.com, said the CISA warning should not be taken lightly, in part because of the agency's test. "The fact that CISA revealed that it was able to exploit BlueKeep to execute code remotely on a computer running Windows 2000 suggests that it is only a matter of time before malicious attackers are able to do the same," Tomaschek said in an e-mailed statement.

Tomaschek suggested that the CISA's critical warning indicates that authorities believe the threat of a malicious exploit with the capability to infect large numbers of vulnerable devices is imminent. "Organizations and individuals using vulnerable Windows operating systems should take heed and install Microsoft's security updates to patch the vulnerability and insulate themselves from an attack that could potentially take over their systems and compromise hordes of sensitive data," he said.

Posted by Scott Bekker on June 19, 2019


Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.