Sluggish response seems to have become the hallmark of industries when it comes to patching.
Two months after Microsoft discovered and patched the BlueKeep vulnerability, more than 0.8 million systems online remain vulnerable, according to an assessment done by to BitSight Technologies. That’s down just 17 percent since the company’s first assessment about the exposure of the BlueKeep vulnerability a month ago.
Dormant, but alive
On 14 May, Microsoft issued a warning about the BlueKeep vulnerability affecting Remote Desktop Services Protocol (RDP). This is a component common in most versions of Microsoft Windows, which allows remote access to its graphical interface. An external attacker can use this vulnerability to compromise the full system without requiring any form of authentication or user interaction.
"Given the potential impact to customers and their businesses, we made the decision to make security updates available for platforms that are no longer in mainstream support," the company said in the warning.
"We recommend that customers running one of these operating systems download and install the update as soon as possible."
However, the trouble still looms large. In June, the US department of homeland security announced that it has achieved remote code execution on a computer running a vulnerable version of Windows 2000. The agency listed Windows 2000, Vista, XP, 7 and Windows Server 2003, 2003 R2, 2008, 2008 R2 vulnerable.
The US National Security Agency (NSA) also warned Microsoft Windows users to make sure they are using updated systems to guard against the flaw. Several cyber-security researchers have demonstrated proof-of-concept exploits for the vulnerability.
"There are reports of reliable exploits for this vulnerability privately circulating, including unconfirmed reports of an exploit being available for purchase on the darknet as early as September of 2018," said the BitSight report.
"One information security professional, Robert Graham, created a tool to check the presence of the vulnerability on any given system, and subsequently performed a full Internet scan to check for exposed vulnerable systems; he identified over 900,000 systems vulnerable to this issue," it added.
"While the number of unpatched systems has decreased since May, it’s simply not enough. There is a lot of fear, uncertainty, and doubt in the security industry, but that’s not the case here," said Bob Huber, CSO of Tenable.
Microsoft had pulled the plug on support for older versions of Windows -- 2000, Vista, XP -- years ago, and has repeatedly urged customers to update. The response has been dismal.
UK’s NHS this week faced severe criticism from security experts after it disclosed that it still runs more than 2,000 PCs with XP OS. The health service provider is currently executing a £150 -million plan to upgrade all systems to Windows 10 by 14 January 2020.
"This equates to 0.16 percent of the NHS estate," UK health secretary Jackie Doyle-Price told parliament. "We are supporting NHS organisations to upgrade their existing Microsoft Windows operating systems, allowing them to reduce potential vulnerabilities and increase cyber- resilience."
"Any organisation still using Windows XP today is taking a huge gamble with their security and will be putting the data they hold at serious risk," said Laurie Mercer, security engineer at HackerOne.
"Out of date software needs to be updated, upgraded and, if this is not possible, switched off. Ordinary people have no choice whether they use the NHS or not so do not have the option of choosing a more secure provider."
The NHS was crippled by the WannaCry attack -- which exploited a Bluekeep-like vulnerability -- in 2017, with close to 19,000 appointments cancelled, costing £92 million to clean up. The agency faced severe criticism from parliament at that time.
"I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment," MP Meg Hiller, chairman of the Public Accounts Committee, said in a damage assessment report in June 2018. SC Media reported this month that the NHS is still a sitting duck for cyber-criminals.
An annual study by Duo Security highlighted the prevalent use of outdated software, particularly in the Windows-dominated healthcare sector, where 56% of Windows devices still run an outdated operating system. The sector uses internet-connected devices and software that are not always designed or updated by vendors to run the latest Windows OS, leaving them more vulnerable to malware such as WannaCry, it said.
"Organisations and users alike should not brush this off as ‘hype’. This vulnerability is no joke; BlueKeep has all the makings of becoming the next WannaCry or NotPetya. Patch now before it’s too late," urged Huber.