Microsoft Windows users who haven’t patched their OS (or are using an unsupported version) are at risk of attackers exploiting a vulnerability known as BlueKeep. The Cybersecurity and Infrastructure Security Agency (CISA), Homeland Security’s lead cybersecurity agency, said it successfully tested a working exploit for the BlueKeep vulnerability.
Specifically, the agency was able to remotely run code on a Windows 2000 computer using BlueKeep, it stated in an advisory. The bug effects computers that are running Windows 7 or earlier (as well as Windows Server 2003 and 2008), and gives potential attackers access through Microsoft’s Remote Desktop Services.
The BlueKeep vulnerability is “wormable”, meaning an attacker only has to gain access to one computer in order to gain control of all the other devices on its network. Microsoft already issued patches for the bug last month, but private security firm Errata estimated that millions of devices still remain vulnerable. While an attacker has yet to take advantage of the bug, doing so could easily lead to a repeat of 2017’s WannaCry malware outbreak that impacted systems worldwide, including Britain’s NHS, Honda and FedEx.
CISA is asking users of older Microsoft systems to install the available security updates. Microsoft has even released patches for operating systems that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. If you’re a regular end-user running Windows 7 or older, you’re likely better off upgrading to a newer version of Microsoft for added security.