Two weeks have passed since Microsoft warned users about a critical vulnerability in a common Windows protocol that could enable a hacker to remotely take over machines without even a click from their owners, potentially allowing an infectious worm to rip through millions of PCs. That bug might be fading from the headlines, but it still lingers in at least 900,000 computers. And that vulnerable herd is getting Microsoft's patch at a glacial pace—as a wave of contagion that will likely soon hit all of them looms.
BlueKeep, as the bug has come to be known, is a hackable vulnerability in Microsoft’s Remote Desktop Protocol, or RDP, that affects Windows 7 and earlier as well as older versions of Windows Server. The insecure code was spotted and reported by the UK's National Cybersecurity Center, and Microsoft released a patch on May 14. BlueKeep is so serious—rating 9.8 out of 10 in severity, according to Microsoft—that the company even pushed out a rare patch for Windows XP, which it doesn't otherwise support. Microsoft's director of security incident response compared the potential fallout to WannaCry, the North Korean ransomware worm that caused up to $8 billion in damage when it rampaged across the internet in 2017.
And yet the digital world has been slow to defend itself. When security researcher Rob Graham scanned the entire public internet for BlueKeep-vulnerable machines on Monday, using a tool he built, he found that 923,671 machines hadn't been patched, and were thus still exposed to any potential worm. When he ran the same scan on Wednesday evening at WIRED's request, he found that the number of vulnerable machines had dropped only slightly, to 922,225.
In other words, just one thousand machines appear to have been patched in 48 hours. If that very roughly estimated rate were to continue—and it’s just as likely to slow further over time as the initial alarm around BlueKeep wanes—it would take ten years for all the remaining vulnerable machines to be patched.
Countdown to Exploitation
Graham and other security industry observers expect a public BlueKeep hacking tool and a resulting worm to appear much, much sooner, potentially within days or weeks. "A worm will happen before these systems get patched," says Graham, the CEO of consulting firm Errata Security. In fact, he expects that only the appearance of that worm will substantially change the patching rate for the computers he's scanning. "Once there's a worm, it will cleanse the internet of these vulnerable machines. It will just burn like fire."
© Flipboard and it's respective authors