The National Security Agency is warning users that a recent vulnerability affecting Windows 7 and Windows XP systems is potentially “wormable,” meaning that it could be exploited and weaponized by malware.
Microsoft issued an alert in mid-May about a Remote Code Execution vulnerability, known as CVE-2019-0708, that can affect Windows 7, Windows XP, Windows 2003, Windows Server 2008 R2, and Windows Server 2008. Since then, the vulnerability has been nicknamed “BlueKeep.” Microsoft issued a BlueKeep patch for Windows 7, and another BlueKeep patch for Windows XP. Microsoft strongly urges users to patch affected systems.
That’s because code designed to exploit the vulnerability could spread pre-authentication and without any user interaction. These are prime breeding conditions for a worm similar to the spread of WannaCry, Microsoft warned. WannaCry took down millions of computers in 2017, using an unsophisticated yet pervasive attack that infected computers with ransomware.
The National Security Agency is concerned that this could happen again. “This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability,” the NSA wrote. “For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”
Though more than two weeks have elapsed since the vulnerability was discovered, Microsoft warned that cybercriminals often don’t move that quickly. EternalBlue, the vulnerability that allowed WannaCry to take place, took a total of two months from the time that the vulnerability was discovered to the time it took to exploit it. “Despite having nearly 60 days to patch their systems, many customers had not,” Microsoft said.
Naturally, Microsoft is taking the opportunity to encourage customers to migrate from older operating systems to Microsoft’s latest OS, Windows 10. Though Microsoft took the unusual step of publishing a BlueKeep patch for Windows XP, Windows 7 ends its support lifespan this coming January.
“Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected,” Microsoft wrote. “Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows. “