Davey Winder via Forbes
I can’t recall ever seeing the U.S. National Security Agency (NSA) jumping in and warning users of Microsoft Windows to check if their systems are fully patched and, if not, to update now or risk a “devastating” and “wide-ranging impact.” But that’s what has just happened.
In an advisory published this week, the NSA has urged “Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threat.” That threat being BlueKeep, which has already been the focus of multiple “update now” warnings from Microsoft itself.
The NSA warning comes off the back of research that revealed just under one million internet-facing machines are still vulnerable to BlueKeep on port 3389, used by the Microsoft Remote Desktop feature, with nobody knows how many devices at risk within the internal networks beyond. The potential is certainly there for this threat, if exploited, to be on the scale of WannaCry.
It’s hard to know exactly why the NSA has decided to issue this advisory now, especially as it hasn’t gone through the more usual U.S.-Computer Emergency Readiness Team (CERT) channel. “I suspect that they may have classified information about actor(s) who might target critical infrastructure with this exploit,” Ian Thornton-Trump, head of security at AmTrust International, told me, “that critical infrastructure is largely made up of the XP, 2K3 family.” This makes sense as although Windows 8 and Windows 10 users are not impacted by this vulnerability, Windows 2003, Windows XP and Windows Vista all are.
John Opdenakker, an ethical hacker, agrees that it could well indicate the NSA is in possession of further threat intelligence regarding the BlueKeep threat. “If it’s actively being exploited, then I kind of understand why they would do it,” Opdenakker told me, adding, “it’s certainly not being exploited at scale though, otherwise we would have heard about it already.” The latter point being the important one as far as the “normal user” is concerned, in my opinion. There is little denying that, as Thornton-Trump puts it, “governments are more or less the ultimate authority; vetting, testing and intelligence all has to be assembled and internally red-teamed before an estimate of risk can be assigned.” Which leads to a time lag as intelligence agencies react to the dynamic nature of such exploit disclosures.
All of which means, information security analyst Mike Thompson told me, that if the NSA has an issue here it could be “something that they are worrying about impacting them” rather than you or me. As such, until we better understand the real-world impact on normal users, “we shouldn’t lose our heads about it,” Thompson concludes.
So where does that leave us? Sean Wright, Scotland chapter leader of the Open Web Application Security Project (OWASP) told me, “patch where you can, but otherwise carry on as normal: the good guys are a step ahead of the bad guys, unlike WannaCry.” Leigh-Anne Galloway, the cybersecurity resilience lead at Positive Technologies, adds: “As this vulnerability is exploited via Remote Desktop Protocol, but is not a vulnerability in Remote Desk Protocol, vulnerable systems must have an internet facing Remote Desk Protocol service to be exploitable.” Which means that if upgrading your device to a supported version of Windows is not possible, “it is essential that the exposure to such systems is limited,” according to Galloway.
I agree with all of that analysis, despite being no great fan of the way that Microsoft has mishandled updates and patches of late. Nor am I used to passing on “advice” from the NSA, truth be told. However, on this occasion, I do happen to agree with both Microsoft and the NSA that anyone who has not yet patched against the BlueKeep threat should do so as a matter of urgency, where at all possible. For once though, Windows 10 users can keep calm and carry on.
UPDATE: Gavin Millard, vice president of intelligence at Tenable, informs me that a straw poll of some 255 IT security professionals attending the Infosecurity Europe show earlier this week found 79% were unaware of the BlueKeep vulnerability. That’s nearly a month after it was announced; a quite stunning finding if you ask me. “In 30 days’ time we don’t want to be looking back, as many did with the MS17-010 vulnerability that led to WannaCry,” Millard says, “and wonder why patches hadn’t been pro-actively deployed to mitigate the significant threat this vulnerability could quickly pose.”