The Cybersecurity and Infrastructure Security Agency (CISA), the cybersecurity division of the Department of Homeland Security, is urging Windows users who haven’t already done so to patch their operating system to prevent attackers from taking advantage of a vulnerability known as BlueKeep.
The agency said tests it conducted alongside outside partners demonstrated that the bug makes it possible for attackers to perform remote code execution on a Windows 2000 computer. The vulnerability affects computers that are running Windows 7 or earlier, as well as Windows Server 2003 and 2008.
Could be as serious as WannaCry attacks
The bug is considered wormable “because malware exploiting this vulnerability on a system could propagate to other vulnerable systems,” CISA explained. “A BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.”
"CISA encourages users and administrators to review the Microsoft Security Advisory and the Microsoft Customer Guidance for CVE-2019-0708 and apply the appropriate mitigation measures as soon as possible," CISA said in its advisory.
The National Security Agency (NSA) published a similar advisory earlier this month warning about the potentially serious risks of BlueKeep.
"We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw," the organization said.
Both warnings were published after Microsoft itself implored users to update their Windows systems in light of the “critical” bug. The tech giant said nearly one million computers directly connected to the internet were believed to still be vulnerable to BlueKeep as of late May.
The fact that there hasn’t been any sign of a worm yet doesn’t mean the threat is over, the company stressed.
“This does not mean that we’re out of the woods. If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner,” Microsoft said.