Rob Graham, Errata SecurityUnlike BlueKeep, however, the new bugs—half-jokingly named DejaBlue by security researchers tracking it—don't merely affect Windows 7 and earlier, as the earlier RDP vulnerability did. Instead, it affects Windows 7 and beyond, including all recent versions of the operating system.Marcus Hutchins, a security researcher who has closely followed the RDP vulnerabilities and coded a proof-of-concept tool for exploiting BlueKeep, says that there may well be more machines vulnerable to DejaBlue than to BlueKeep. At this point, nearly every contemporary Windows computer needs to patch, before hackers can reverse engineer those fixes for clues that might help create exploits."People who haven’t upgraded since forever might be a little safer from this, but there’s a much larger pool of computers vulnerable to it, I imagine," Hutchins says. "Of course, if you’re taking account of BlueKeep as well, then this just compounds the problem."Unlike BlueKeep, whose discovery Microsoft credited to the British intelligence agency GCHQ, Microsoft says that it found and patched these new bugs itself. "These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of our continual focus on strengthening the security of our products," Microsoft says. "At this time, we have no evidence that these vulnerabilities were known to any third party." Microsoft didn't immediately respond to a request for comment.Since BlueKeep was publicly announced on May 14, the security industry has prodded users to patch with mixed results: As of a count last month , somewhere between 730,000 and 800,000 computers remained vulnerable to BlueKeep. Rob Graham, a security researcher and founder of Errata Security, built a scanner to measure the number of machines vulnerable to BlueKeep in May and initially found nearly a million vulnerable machines. He now estimates that the number of machines vulnerable to the new RDP bugs is likely in the same ballpark. "It's starting all over again," Graham says.Graham points out, however, that a setting called Network-Level Authentication on Windows machines block the new set of bugs from being exploited. In his previous scans, he found a total of 1.2 million Windows computers that had that setting enabled. But it's not clear which versions of Windows those computers are running, or how many other machines don't have NLA turned on.The good news is that Windows offers auto updates by default; those with that feature enabled should be covered soon, if not already. Anyone who has that turned off, though, should turn on NLA now, and download a patch against the new RDP bugs here.
"It's starting all over again."
Andy Greenberg is a WIRED security writer and author of the forthcoming book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.When BlueKeep first appeared, security researchers and even Microsoft itself warned that it could be integrated into a widespread worm within just weeks that might be as serious as WannaCry or NotPetya , as malicious hackers moved faster than the vast number of vulnerable users who needed to patch. Three months have since passed with no worm in sight, although more stealthy hackers may already be hacking RDP in secret, targeted attacks. The absence of the expected worm, some researchers say, is due to restraint on the part of the security research community, which largely abstained from publicly releasing proof-of-concept hacking tools that exploit BlueKeep. Also, few details have become public about how exactly BlueKeep works, and building a reliable intrusion based on it appears to be surprisingly difficult.Exploiting DejaBlue might be marginally easier than BlueKeep, says Hutchins, who says coding a BlueKeep exploit took him close to a week of full-time work. The hard part, he says, was manipulating a computer’s memory so that the RDP bug allows the hacker to run their own code instead of crashing the computer. When DejaBlue crashes a computer, Hutchins says, it merely crashes the RDP service on the target device rather than the whole machine, allowing a hacker with an unreliable exploit to use it more stealthily. “Bluekeep required some kind of specialized knowledge,” Hutchins says. “This seems like it might have a larger group of people capable of writing an exploit.”DejaBlue might be patched more quickly than BlueKeep was, notes Hutchins, since users with newer versions of Windows also tend to patch more reliably. Hutchins also says that after predicting a BlueKeep worm's arrival well before today, he's going to hold off on any more speculation. "It's entirely possible a worm for this might be more likely, but we can’t really predict what people are going to do," Hutchins says. "The bad guys are going to do what the bad guys are going to do."
- How smaller cities are trying to plug brain drain
- The radical transformation of the textbook
- How scientists built a “living drug” to beat cancer
- An iPhone app that protects your privacy —for real
- How white nationalists have co-opted fan fiction
- 📱 Torn between the latest phones? Never fear—check out our iPhone buying guide and favorite Android phones
- 📩 Hungry for even more deep dives on your next favorite topic? Sign up for the Backchannel newsletter