Microsoft published a warning detailing seven new Windows vulnerabilities that attackers can exploit using the Remote Desktop Protocol (RDP).
Of the security flaws, Microsoft warns that two are particularly severe, and malicious actors could use them to create an automated worm that can jump between Windows-powered machines, potentially infecting millions of computers.
If you’re feeling a sense of deja vu, you’re not alone.
While BlueKeep had the potential to create a computer worm like DejaBlue, the new flaws are much worse. BlueKeep affected Windows 7 PCs and earlier. DejaBlue affects everything after as well, including all recent versions of the Windows OS.
In other words, nearly all Windows computers will need a patch against DejaBlue.
For the unfamiliar, RDP is a tool for administrators to connect to other computers in a network. Microsoft says it found and patched these new bugs itself while working to improve RDP security. A British intelligence agency, GCHQ, spotted the BlueKeep exploit.
Further, Microsoft told Wired that it currently has no evidence that the vulnerabilities were known to any third party.
Getting the patch to users is the challenge
However, getting users to update PCs might be a significant hurdle. Since BlueKeep was discovered at the beginning of May, security researchers estimate close to one million PCs were affected. Now, estimates say between 730,000 and 800,000 computers are still vulnerable to BlueKeep.
However, DejaBlue effectively resets this, with the number of machines vulnerable to RDP likely in the same ballpark.
Some researchers discovered that a setting called Network-Level Authentication (NLA) in Windows blocked the exploits. Estimates place the number of computers with NLA enabled at 1.2 million, but it’s not clear how many more don’t have NLA enabled.
It’s also worth noting that, despite warnings from both Microsoft and security researchers about BlueKeep’s potential to become a worm, three months have passed with no signs of infection.
Hackers could be executing smaller attacks on specific targets using BlueKeep. However, the absence of a worm could also be related to the security community’s restraint. The community avoided publicly releasing proof-of-concept hacking tools that use the vulnerabilities.
Or it could be because building reliable intrusion attacks using BlueKeep is quite tricky.
However, DejaBlue may be easier to exploit than BlueKeep. Worse, there’s more incentive with DejaBlue, since it affects newer computers and potentially more people.
On the other side of this is that newer Windows computers tend to get updates quicker, thanks to automatic updates. Wired says that users with automatic updates enabled should receive the patch soon if they haven’t already. For those who disabled automatic updates, you should turn on NLA to protect yourself until you can download the patch (available here).