Advisory Overview:
Microsoft recently undertook efforts to protect Windows desktops and servers against a threat known as BlueKeep, a vulnerability in Remote Desktop Protocol – a tool used to remotely access a Windows desktop or server. During these efforts, Microsoft uncovered two new vulnerabilities – unofficially known as BlueKeep II and BlueKeep III – which impact components of Windows known as the Remote Desktop Services (RDS) platform. These new vulnerabilities impact all currently-supported versions of Windows desktops and servers, including Windows 10 and Server 2019.
RDS is a suite of components which includes Remote Desktop, but also includes other systems that can be in-use on a Windows system even if Remote Desktop itself is not used. Most commonly, the RDS tools are used by MSP’s and other technical professionals to provide remote assistance and administration of Windows machines.
BlueKeep II and II have both been patched by Microsoft. Your MSP can assist in ensuring that these patches are applied.
Technical detail and additional information
What is the threat?
BlueKeep is a vulnerability in RDP that was patched by Microsoft. In an effort to prevent future vulnerabilities of this type, Microsoft began the process of hardening RDP and its superset of technologies, Remote Desktop Services (RDS). During this process, Microsoft uncovered two new vulnerabilities, unofficially named BlueKeep II and BlueKeep III. While neither new threat can be attacked through RDP, they are both wormable and exploitable via other means and therefore pose a significant threat of propagation if exploited.
Why is this noteworthy?
The discovery of two new vulnerabilities is significant, especially as they both reside within the overall Remote Desktop Service architecture. Additionally, the BlueKeep II and III variants both impact later versions of Windows Desktop and Server – Windows 7 SP1 and higher on desktops and Windows Server 2008 and higher on servers. The previous version of BlueKeep impacted almost exclusively older versions of the Windows platform.
What is the exposure or risk?
The vulnerability – like the original BlueKeep – is considered “wormable,” meaning that a properly crafted exploit can propagate itself without direct user interaction. This means that payloads can spread quickly and with limited opportunity to disrupt that spread.
What are the recommendations?
As with the previous Threat Advisory, the current recommendation is to apply all available Windows updates as soon as possible. Microsoft has released patches for both BlueKeep II and BlueKeep III and made them available as part of the standard Windows Update system. If updating is not possible, all Remote Desktop Services should be immediately disabled to prevent propagation of exploits when they appear in the wild.
References:
For more in-depth information about the recommendations, please visit the following link:
If you have any questions, please contact our Security Operations Center.