BlueKeep – everyone agrees, you should patch PCs running legacy versions of Windows

Graham Cluley

Bluekeep

Bluekeep

I have this horrible feeling that the only way we’re going to wake the world up to the need to patch their ageing versions of Windows against the BlueKeep vulnerability is to wait until a malicious worm begins to spread around the world.

For those who haven’t been following the security news over the last few weeks, BlueKeep (technically known by the unglamorous name of CVE-2019-0708) is a vulnerability in the Windows 7, Windows XP, Server 2003 and 2008 versions of Remote Desktop Protocol (RDP).

Some estimates suggest that despite Microsoft releasing a patch on May 14, almost one million vulnerable PCs are connected to the internet, and potentially open to exploitation.

Microsoft is clearly concerned, having taken the unusual step of issuing patches for old versions of Windows which it no longer officially supports, and publishing reminders on its blog for users to take action.

The NSA is clearly concerned, urging administrators and users to patch in a press release and distributing a security advisory.

And the UK’s National Cyber Security Centre is clearly concerned. The NCSC, part of GCHQ, privately reported the vulnerability to Microsoft in the first place, and have said that BlueKeep “poses a serious threat” and recommended that organisations and individuals apply their security patches as soon as possible.

In the back of many people’s mind is the WannaCry ransomware outbreak, which struck hard in May 2017, despite patches having already been pushed out by Microsoft.

No-one wants another attack like that. Make sure your computers are patched and secured now.

You may also want to consider the following additional measures suggested by the NSA:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
  • Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
  • For more discussion on the BlueKeep vulnerability and its possible exploitation be sure to check out this episode of the “Smashing Security” podcast:

    Smashing Security #131: 'Zap yourself from the net, and patch now against BlueKeep'

    Listen on Apple Podcasts | Google Podcasts | Other... | RSS
    More episodes...

    Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

    2 Replies to “BlueKeep – everyone agrees, you should patch PCs running legacy versions of Windows”

    1. I've seen the mitigation suggestion to disable RDP, but no specific instructions on how to do that.
      What is the best practice here? Setting the control panel service for Remote Desktop Services to Disabled? A Registry Key somewhere? Group Policy?

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.