In May, Microsoft released a patch for a bug in several versions of Windows that is so bad that the company felt it even had to release a fix for Windows XP, an operating system that (has been unsupported) for five years.
That vulnerability is known as BlueKeep, and it has kept a lot of security researchers up at night. They are worried that someone could write an exploit for it and make a worm that could wreak havoc the way WannaCry or NotPetya—two viruses that spread almost uncontrollably all over the world locking thousands of computers— did. BlueKeep is potentially so bad that Microsoft has not been the only one to push very hard for users to apply patches. The NSA, DHS, the UK’s National Cyber Security Centre and a handful of other countries’ cybersecurity emergency agencies have issued warnings about it.
Researchers were so worried about this vulnerability that for months, no one has published the code for a proof-of-concept exploit. In other words, no one wanted to be the guy to even prove that this type of malware was even possible to write.
On Tuesday, Immunity, a long time US government contractor, announced that it had developed an exploit for BlueKeep and included it into its penetration testing toolkit Canvas, which is available only to paying subscribers. Canvas customers, can now exploit this bug using Immunity’s own code.
Have a tip about BlueKeep, or another vulnerability or incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Some security researchers are already questioning Immunity’s decision, but the company is standing behind it.
“I don’t know what people thought we were going to do…” Dave Aitel, the founder of Immunity, told Motherboard. “I think everyone was like it would be great if the whole industry never released an exploit on this…but that seems silly and to really undervalue penetration testing in general.”
Aitel explained that “every patch essentially tells an exploit engineer what the vulnerability is” so companies that may be vulnerable to BlueKeep need to be able to test their systems against an exploit before the bad guys do it for them. Aitel argued that the only way to reliably test systems to see if they’re vulnerable to BlueKeep is having a working exploit like the one his researchers wrote.
“If you’re a customer you have to think how do I test my defensive mechanisms when I know other people have this exploit privately?” Aitel said, adding that he doesn’t worry about people using his company’s exploits for evil things such as a worm “because if that was your worry you’d have to restrict all exploits, and I think that increases risk overall.”
A security researcher who uses Canvas agreed that the concerns over Immunity releasing this are exaggerated. Immunity’s exploit, which is written in Python, is “relatively unlikely to leak” because the company knows who their customers are, and because “enough people have already written exploits that they are keeping private for now that doubtlessly ‘bad guys’ have them.”
“Odds are a public exploit comes out before the Canvas one leaks,” the researcher said.
As of the end of May, there were one million Windows systems vulnerable to BlueKeep. It’s hard to know which ones of these are valuable targets for a criminal, but it’d be tempting for hackers to just infect them all and ask for a ransom, or use them to mine cryptocurrency. Marcus Hutchins, the security researcher that helped stop WannaCry, said that it’s only a matter of weeks before criminals develop a good BlueKeep exploit, given that a group already implemented a BlueKeep scanner into their cryptocurrency mining malware.
“[I] wouldn’t be surprised if they add RCE when it becomes available,” Hutchins said, using the lingo for remote code execution, a type of exploit that allows the attacker to run code on the target device, meaning the attacker has full control on it.
Microsoft declined to comment.
It’s impossible to tell whether some malicious hackers will finally exploit BlueKeep at scale. In any case, if you run any of the versions of the Windows operating systems that are vulnerable to BlueKeep, you should patch or mitigate just in case.
In a way, this is just the lifecycle of a bug these days.
“It’s not just about BLUEKEEP—there will always be another vulnerability that comes along and puts you at risk,” Aitel said.
Additional reporting by Joseph Cox.
Subscribe to our new cybersecurity podcast, CYBER.