This article is more than 1 year old

Despite Windows BlueKeep exploitation freak-out, no one stepped on the gas with patching, say experts

Admins snoozing on fixes despite reports of active attacks

The flurry of alerts in recent weeks of in-the-wild exploitation of the Windows RDP BlueKeep security flaw did little to change the rate at which people patched their machines, it seems.

This is according to eggheads at the SANS Institute, who have been tracking the rate of patching for the high-profile vulnerability over the last several months and, via Shodan, monitoring the number of internet-facing machines that have the remote desktop flaw exposed.

First disclosed in May of this year, BlueKeep (CVE-2019-0708) describes a bug in the Windows Remote Desktop Protocol that allows an attacker to gain remote code execution without any user interaction. Microsoft has had a patch out for the bug since it was first disclosed.

Over the last week or so, reports came that miscreants were lobbing active exploits for BlueKeep at honeypot systems. These attacks were found to be attempts by hackers to infect machines with cryptocoin-mining software and led to a series of media reports urging users to patch their machines now that BlueKeep exploits had arrived in earnest.

According to SANS, those reports did not do much to get people motivated. The security institute says that the rate of BlueKeep-vulnerable boxes it tracks on Shodan has been on a pretty steady downward slope since May, and the media's rush to sound alarms over active attacks did not change that.

That means, while plenty of admins and users have fixed up their boxes, the headlines did not spur those lagging into patching up their systems.

Smashing a window with your fist

With more hints dropped online on how to exploit BlueKeep, you've patched that Windows RDP flaw, right?


"The percentage of vulnerable systems seems to be falling more or less steadily for the last couple of months," noted SANS researcher Jan Kopriva of Alef Nula, "and it appears that media coverage of the recent campaign didn’t do much to help it."

That doesn't however, mean that there is no threat of a BlueKeep malware outbreak. While the SANS duo say that BlueKeep machines are decreasing in number, there are still more than enough exposed boxes to make for an attractive exploit target.

"Since there still appear to be hundreds of thousands of vulnerable systems out there," they point out, "we have to hope that the worm everyone expects doesn’t arrive any time soon."

Fortunately, this week will be a good time for users and admins to get themselves caught up on patches for BlueKeep and other security fixes that have been posted over the Summer by Microsoft.

With the November edition of Patch Tuesday slated to land tomorrow, users can fire up Software Update and get that and previous security fixes to make sure they are protected from all of the known vulnerabilities. ®

More about


Send us news

Other stories you might like