Researchers Release Micropatch For ‘BlueKeep’ Critical Windows Flaw

Micro-patching service 0patch has released a fix for the “BlueKeep” flaw, aimed at always-on systems that for one reason or another cannot be rebooted or cannot apply Microsoft patches.

Microsoft released a patch for BlueKeep with its monthly update on 14 May, warning that the bug could be exploited in such a way as to create quick-spreading worms similar to the WannaCry malware that spread around the world in May 2017.

Due to its seriousness, Microsoft released the BlueKeep patch for out-of-support systems including Windows XP and Windows 2003.

In-support systems including Windows 7, Windows Server 2008 R2 and Windows Server 2008 are also affected, but Windows 8 and Windows 10 are not.

Urgent fix

“It is important that affected systems are patched as quickly as possible,” Microsoft said in its advisory.

The issue, tracked as CVE-2019-0708, affects Remote Desktop Services.

It bypasses authentication steps and does not require user interaction, meaning it could be exploited to create a “worm” that spreads automatically from one vulnerable system to another.

That makes it similar to the EternalBlue exploit believed to have been originally discovered by the US’ NSA, and which was used in the WannaCry, NotPetya and Bad Rabbit malware outbreaks.

The exploit was also reportedly used by ransomware that targeted the city of Baltimore earlier this month, hobbling the city’s public services for weeks.

SInce Microsoft’s alert several third-party security researchers said they have developed working exploits for BlueKeep.

Vulnerability scans

While as yet researchers are not aware of active exploitation attempts, threat monitoring group GreyNoise said over the weekend it had detected scans for Windows systems vulnerable to BlueKeep.

The scans, which originate from the Tor anonymity network, are likely to indicate plans for an attack, GreyNoise said.

The 0patch fix is intended to help ward off a possible worm that could make use of large numbers of vulnerable systems, including, for instance, cash machines running Windows XP, the company said.

Such systems in some cases cannot be rebooted in order to apply official patches from Microsoft.

The 0patch fix does not require rebooting and as such is “useful for computers that can’t have Microsoft’s update applied for whatever reason, or can’t be restarted”, 0patch said on Twitter.

0patch fixes are usually a temporary measure while administrators wait for an official patch, but in this case the micropatches are likely to remain in place permanently, or until administrators find a way to by pass reboot restrictions.

Microsoft has also said that administrators can switch on Network Level Authentication (NLA) for Remote Desktop Services Connections on vulnerable systems to effectively block attacks.