Researchers Release Micropatch For ‘BlueKeep’ Critical Windows Flaw

Micro-patching service 0patch has released a fix for the “BlueKeep” flaw, aimed at always-on systems that for one reason or another cannot be rebooted or cannot apply Microsoft patches.

Microsoft released a patch for BlueKeep with its monthly update on 14 May, warning that the bug could be exploited in such a way as to create quick-spreading worms similar to the WannaCry malware that spread around the world in May 2017.

Due to its seriousness, Microsoft released the BlueKeep patch for out-of-support systems including Windows XP and Windows 2003.

In-support systems including Windows 7, Windows Server 2008 R2 and Windows Server 2008 are also affected, but Windows 8 and Windows 10 are not.

Anonymous scans search for systems vulnerable to BlueKeep. Image credit: GreyNoise/Twitter

Urgent fix

“It is important that affected systems are patched as quickly as possible,” Microsoft said in its advisory.

The issue, tracked as CVE-2019-0708, affects Remote Desktop Services.

It bypasses authentication steps and does not require user interaction, meaning it could be exploited to create a “worm” that spreads automatically from one vulnerable system to another.

That makes it similar to the EternalBlue exploit believed to have been originally discovered by the US’ NSA, and which was used in the WannaCry, NotPetya and Bad Rabbit malware outbreaks.

The exploit was also reportedly used by ransomware that targeted the city of Baltimore earlier this month, hobbling the city’s public services for weeks.

SInce Microsoft’s alert several third-party security researchers said they have developed working exploits for BlueKeep.

Vulnerability scans

While as yet researchers are not aware of active exploitation attempts, threat monitoring group GreyNoise said over the weekend it had detected scans for Windows systems vulnerable to BlueKeep.

The scans, which originate from the Tor anonymity network, are likely to indicate plans for an attack, GreyNoise said.

The 0patch fix is intended to help ward off a possible worm that could make use of large numbers of vulnerable systems, including, for instance, cash machines running Windows XP, the company said.

Such systems in some cases cannot be rebooted in order to apply official patches from Microsoft.

The 0patch fix does not require rebooting and as such is “useful for computers that can’t have Microsoft’s update applied for whatever reason, or can’t be restarted”, 0patch said on Twitter.

0patch fixes are usually a temporary measure while administrators wait for an official patch, but in this case the micropatches are likely to remain in place permanently, or until administrators find a way to by pass reboot restrictions.

Microsoft has also said that administrators can switch on Network Level Authentication (NLA) for Remote Desktop Services Connections on vulnerable systems to effectively block attacks.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

BT Identifies 2,000 Potential Cyberattacks Signals Every Second

Level of cyberthreats revealed, after BT says it spots 2,000 signals of potential cyberattacks every…

2 days ago

CMA Cites Higher Prices Post Vodafone, Three Merger, Demands Changes

The British competition regulator has provisionally found competition concerns over Vodafone’s planned merger with Three…

2 days ago

Microsoft Cuts Hundreds Of Gaming Staff

Post Activision - Microsoft Gaming confirms it will axe 650 employees, after thousands of job…

2 days ago

SpaceX Polaris Dawn Crew Carry Out First Commercial Spacewalk

Billionaire Jared Isaacman and SpaceX’s Sarah Gillis become first non-professional astronauts to carry out risky…

3 days ago

Government To Classify UK Data Centres As Critical Infrastructure

Data centres in the UK are to designated as Critical National Infrastructure (CNI), alongside energy…

3 days ago

Irish Watchdog Launches Inquiry Into Google AI Model

Google's protection of EU users' personal data when training its AI model, is under investigation…

3 days ago