Written by Sean Lyngaas
Since May, security researchers have been sounding the alarm about the “BlueKeep” vulnerability in old Microsoft Windows operating systems. There has been a large movement to get users to patch for the flaw, which could be exploited at scale. Data released Wednesday by cybersecurity-ratings company BitSight Technologies show a mixed report card on how well organizations have closed that security hole.
First, the bad news: as of July 2, more than 805,000 operating systems that are online are still vulnerable to BlueKeep, the Boston-based company said. That leaves a broad potential attack surface for someone who exploits the vulnerability. BlueKeep is “wormable,” meaning the malware could infect systems as it finds its own ways to move from network to network. By abusing the remote access granted by Remote Desktop Services, a Windows program, a hacker could delete data or install a new program on a system.
“We are really trying to encourage organizations to take action and to address their externally exposed systems,” Dan Dahlberg, BitSight’s director of security research, told CyberScoop.
The good news is that, since the end of May, the number of systems that are vulnerable to BlueKeep is down 17 percent, according to BitSight. Additionally, at least 854 systems vulnerable to BlueKeep are being patched per day.
The survey also highlights differences in patching across industries. Among the laggards are electric and water utilities – where patching in sensitive control system environments has to account for downtime at an industrial facility. Since the end of May, less than 10 percent of utility organizations surveyed by BitSight have remediated BlueKeep on their external-facing networks.
Since the BitSight survey is drawn from internet scans of public-facing systems, it does not include two big variables that would factor into the impact of a future BlueKeep exploit: the unknown number of systems in an organization’s internal network that aren’t patched for BlueKeep, and the risk facing an organization from one of its vendors being susceptible to the vulnerability.
As Dahlberg warned, organizations that only worry about their perimeter but not about their internal systems “are still going to be significantly at risk” if and when BlueKeep starts getting exploited in the wild.