The US National Security Agency (NSA) rarely comes forward with recommendations for everyday people. However, in an advisory published this week, the NSA issued a stark warning, telling, “Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of a growing threat.” Those who don’t heed the advice could face “devastating” consequences.
The threat the NSA refers to, according to a report by Forbes, is BlueKeep. Microsoft has also been telling users to “update now” to keep the threat at bay.
Recent research showed that nearly 1 million internet-capable machines are vulnerable to BlueKeep in port 3389 – a port which is used by Microsoft Remote Desktop – though that number may not capture the full scope. If the vulnerability was exploited, the threat could be on a similar scale to the devastating WannaCry virus.
It isn’t clear why the NSA decided to issue the advisory, particularly since the agency didn’t use the typical US-Computer Emergency Readiness (CERT) channel.
“I suspect that they may have classified information about actor(s) who might target critical infrastructure with this exploit,” said Ian Thorton-Trump, the AmTrust International head of security. He also noted “that critical infrastructure is largely made up of the XP, 2K3 family.”
Not all Windows versions are affected by the vulnerability, including users running Windows 8 or Windows 10. Systems operating on Windows 2003, Windows XP, or Windows Vista are impacted by the vulnerability.
Ethical hacker John Opdenakker also believes that the advisory could indicate that the NSA is privy to threat intelligence that could have prompted the warning.
“If it’s actively being exploited, then I kind of understand why they would do it,” said Opdenakker. “It’s certainly not being exploited at scale though, otherwise we would have heard about it already.”
Thorton-Trump added that “governments are more or less the ultimate authority; vetting, testing and intelligence all has to be assembled and internally red-teamed before an estimate of risk can be assigned.”
While BlueKeep hasn’t resulted in a wide-spread issue yet, it is likely wise to heed the NSA’s advice and perform the necessary updates on all potentially vulnerable systems.