Even The NSA Is Warning Users To Patch Legacy Windows BlueKeep Wormable Security Exploit

windows xp
When we think of the National Security Agency (NSA) and cybersecurity, we think of the intelligence agency’s grab bag of security exploits that it uses to enhance its own spying efforts. But one particular remote code execution exploit, which has been dubbed BlueKeep, has the NSA actually warning Windows users to patch their systems immediately.

"This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability," writes the NSA. "NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems."

The NSA goes on to warn that this wormable exploit could likely be used in DDoS attacks and that it likely won't be long before the proof-of-concept code is actually made into a fully-functional WannaCry-style exploit that could wreak havoc on Windows systems across the globe. This is something that Microsoft also warned about last month.

nsa advisory

"It is possible that we won’t see this vulnerability incorporated into malware," said Microsoft in May. "But that’s not the way to bet."

The NSA has provided the following guidelines to protect against BlueKeep in addition to installing the patch which has been provided by Microsoft:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
  • Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.

BlueKeep, whose official designation is CVE-2019-0708, currently affects the following Microsoft operating systems: Windows XP, Windows 7, Windows Server, Windows Server 2008 R2, and Windows Server 2008. Microsoft has made patches available for all of these operating systems, including the decrepit Windows XP.