More than 800,000 Windows systems worldwide remain vulnerable to BlueKeep, according to new research.
Risk management vendor BitSight Technologies published a report that showed approximately 805,665 systems online — as of July 2 — that remain vulnerable to BlueKeep. That figure represents a decrease of about 17% from BitSight’s previous findings from May 31.
BlueKeep, which was coined by U.K.-based security researcher Kevin Beaumont, is a critical vulnerability that affects the remote desktop protocol (RDP) in older Windows OSes such as Windows 7, Windows XP and Windows Server 2008. The vulnerability could allow unauthorized parties to perform remote code execution on vulnerable systems.
BlueKeep was first disclosed and patched by Microsoft on May 14, but in the days and weeks that followed a number of alerts from Microsoft, as well as the National Security Agency and Department of Homeland Security, warned Windows users that the flaw was “wormable” and urged them to patch immediately. While no BlueKeep attacks have been detected in the wild, several cybersecurity vendors and researchers have demonstrated — but not released — proof-of-concept exploits for the vulnerability.
Two weeks after Microsoft patched BlueKeep, Robert Graham, owner of Errata Security in Portland, Ore., reported that he found “roughly 950,000” vulnerable systems on the public internet using a customized scanning tool. BitSight used Graham’s tool in its own scanning platform and found 972,829 vulnerable Windows systems as of May 31.
The company’s latest research showed that since its initial scans, 167,000 fewer vulnerable systems were found online. Of the total number, BitSight’s report said around 92,000 have “since been observed to be patched;” the remaining systems could have turned off RDP or are frequently changing their IP addresses.
Dan Dahlberg, head of security research at BitSight and author of the report, said the progress is a positive sign but that more work is obviously needed to address the remaining vulnerable systems. “It’s good that we observed some amount of progress rather than having the number remain relatively consistent over that time period,” he said.
The challenge, Dahlberg said, is that organizations that typically use the older Windows OSes “are less likely to be patching this on a much more urgent basis because they probably don’t have the sophistication and technology in terms of patch management or software controls.”
BitSight performed periodic internet scans for BlueKeep-vulnerable systems, but Dahlberg said it’s difficult to associate the activity with discrete points in time regarding the alerts and warnings. “That doesn’t necessarily mean those announcements didn’t have any influence,” he said. “I think they had a significant amount of influence in terms of motivating at least some companies [to patch].”
BlueKeep patching trends
According to the BitSight report, several countries “demonstrated notable reductions” in the number of systems exposed to BlueKeep. For example, China reduced the number of vulnerable systems by 109,670 (a nearly 24% decrease from BitSight’s previous report), while the U.S. saw its number of vulnerable systems drop by 26,787 or approximately 20.3%.
BitSight also broke down patching trends by industry vertical. According to the report, the industries that saw the biggest reductions in vulnerable systems since May 31 were legal (32.9%), nonprofit/NGO (27.1%) and aerospace/defense (24.1%). The industries that saw the smallest drops in vulnerable systems were consumer goods (5.3%), utilities (9.5%), and technology (9.5%).
In addition, BitSight measured the overall exposure of each industry to BlueKeep going forward. Legal, insurance and finance were the least exposed to the vulnerability, while telecommunications and education were the most exposed, followed by technology, utilities and government/politics.