Advisory November 11, 2019

Client advisory: BlueKeep exploit in Windows

Update your Windows operating systems immediately to guard against BlueKeep exploit.

Security researchers have recently seen a mass exploitation attempt targeting devices vulnerable to the BlueKeep exploit, also known as CVE-2019-0708. This advisory urges our policyholders to ensure all systems are updated to avoid potential attacks as a result of this, or any other, vulnerability.
BlueKeep is a critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services (RDS) and was first reported in May 2019. It is 'wormable', meaning it could be used to spread malware without authentication or user interaction. It therefore has the potential to create incidents similar to the WannaCry ransomware attack of 2017.

As of November 2019, it is estimated that 500,000 systems could still be exposed to BlueKeep, despite Microsoft releasing patches against the exploit shortly after its discovery in May. The National Security Agency and Microsoft have stressed the importance of running system updates and have advised everyone to immediately apply patches to the following affected versions of Windows:

  • Windows XP, Windows Vista, Windows 7
  • Windows Server 2003, Windows Server 2008, Windows Server 2008 R2

Please advise your clients to upgrade to the most recent version as soon as possible. Legacy operating systems pose a serious security risk since the more outdated systems become, the less likely manufacturers will support them with security patches.

Besides upgrading systems, the following additional measures should also be taken:

  • Block TCP port 3389 at your firewalls, as this port is used by the Remote Desktop Protocol. This will deny any attempts to establish a connection.
  • Enable Network Level Authentication (NLA). This would mean an attacker would first have to authenticate the RDS to exploit the vulnerability.
  • Disable RDS if it is not needed to reduce exposure to vulnerabilities overall.

For those of our customers who use the affected versions of Windows, links to critical patches are contained within the Security Guidance Advisory link from Microsoft here: