BlueKeep freakout had little to no impact on patching, say experts

The flurry of reports in recent weeks of in-the-wild exploits for the Windows RDP ‘BlueKeep’ security flaw had little impact among those responsible for patching, it seems.

This according to researchers with the SANS Institute, who have been tracking the rate of patching for the high-profile vulnerability over the last several months and, via Shodan, monitoring the number of internet-facing machines that have the remote desktop flaw exposed.

First disclosed in May of this year, BlueKeep (CVE-2019-0708) describes a bug in the Windows Remote Desktop Protocol that allows an attacker to gain remote code execution without any user interaction. Microsoft has had a patch out for the bug since it was first disclosed.

Over the last week or so, reports came that researchers were spotting active exploits for BlueKeep being lobbed at their ‘honeypot’ systems. These attacks were found to be attempts by hackers to infect machines with cryptocoin-mining software and lead to a series of media reports urging users to patch their machines now that BlueKeep exploits had arrived in earnest.

According to SANS, those reports did not do much to get people motivated. The security institute says that the rate of BlueKeep-vulnerable boxes it tracks on Shodan has been on a pretty steady downward slope since May, and the media’s rush to sound alarms over active attacks did not change that.

Smashing a window with your fist

With more hints dropped online on how to exploit BlueKeep, you’ve patched that Windows RDP flaw, right?


“The percentage of vulnerable systems seems to be falling more or less steadily for the last couple of months,”noted SANS researchers Jan Kopriva and Alef Nula, “and it appears that media coverage of the recent campaign didn’t do much to help it.”

That doesn’t however, mean that there is no threat of a BlueKeep malware outbreak. While the SANS duo say that BlueKeep machines are decreasing in number, there are still more than enough exposed boxes to make for an attractive exploit target.

“Since there still appear to be hundreds of thousands of vulnerable systems out there,” they point out, “we have to hope that the worm everyone expects doesn’t arrive any time soon.”

Fortunately, this week will be a good time for users and admins to get themselves caught up on patches for BlueKeep and other security fixes that have been posted over the Summer by Microsoft.

With the November edition of Patch Tuesday slated to land tomorrow, users can fire up Software Update and get that and previous security fixes to make sure they are protected from all of the known vulnerabilities. ®

Sponsored: What next after Netezza?