Researchers Release Micropatch For ‘BlueKeep’ Critical Windows Flaw

Micro-patching service 0patch has released a fix for the “BlueKeep” flaw, aimed at always-on systems that for one reason or another cannot be rebooted or cannot apply Microsoft patches.

Microsoft released a patch for BlueKeep with its monthly update on 14 May, warning that the bug could be exploited in such a way as to create quick-spreading worms similar to the WannaCry malware that spread around the world in May 2017.

Due to its seriousness, Microsoft released the BlueKeep patch for out-of-support systems including Windows XP and Windows 2003.

In-support systems including Windows 7, Windows Server 2008 R2 and Windows Server 2008 are also affected, but Windows 8 and Windows 10 are not.

Anonymous scans search for systems vulnerable to BlueKeep. Image credit: GreyNoise/Twitter

Urgent fix

“It is important that affected systems are patched as quickly as possible,” Microsoft said in its advisory.

The issue, tracked as CVE-2019-0708, affects Remote Desktop Services.

It bypasses authentication steps and does not require user interaction, meaning it could be exploited to create a “worm” that spreads automatically from one vulnerable system to another.

That makes it similar to the EternalBlue exploit believed to have been originally discovered by the US’ NSA, and which was used in the WannaCry, NotPetya and Bad Rabbit malware outbreaks.

The exploit was also reportedly used by ransomware that targeted the city of Baltimore earlier this month, hobbling the city’s public services for weeks.

SInce Microsoft’s alert several third-party security researchers said they have developed working exploits for BlueKeep.

Vulnerability scans

While as yet researchers are not aware of active exploitation attempts, threat monitoring group GreyNoise said over the weekend it had detected scans for Windows systems vulnerable to BlueKeep.

The scans, which originate from the Tor anonymity network, are likely to indicate plans for an attack, GreyNoise said.

The 0patch fix is intended to help ward off a possible worm that could make use of large numbers of vulnerable systems, including, for instance, cash machines running Windows XP, the company said.

Such systems in some cases cannot be rebooted in order to apply official patches from Microsoft.

The 0patch fix does not require rebooting and as such is “useful for computers that can’t have Microsoft’s update applied for whatever reason, or can’t be restarted”, 0patch said on Twitter.

0patch fixes are usually a temporary measure while administrators wait for an official patch, but in this case the micropatches are likely to remain in place permanently, or until administrators find a way to by pass reboot restrictions.

Microsoft has also said that administrators can switch on Network Level Authentication (NLA) for Remote Desktop Services Connections on vulnerable systems to effectively block attacks.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

4 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

5 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

6 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

7 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

10 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

11 hours ago