A security researcher has published a detailed guide that shows how to execute malicious code on Windows computers still vulnerable to the critical BlueKeep vulnerability. The move significantly lowers the bar for writing exploits that wreak the kinds of destructive attacks not seen since the WannaCry and NotPetya attacks of 2017, researchers said.
As of three weeks ago, more than 800,000 computers exposed to the Internet were vulnerable to the exploit, researchers from security firm BitSight said last week. Microsoft and a chorus of security professionals have warned of the potential for exploits to sow worldwide disruptions. The risk of the bug, found in Microsoft's implementation of the remote desktop protocol, stems from the ability for attacks to spread from one vulnerable computer to another with no interaction required of end users.
One of the only things standing in the way of real-world attacks is the expertise required to write exploits that remotely execute code without crashing the computer first. Several highly skilled whitehat hackers have done so with varying levels of success, but they have kept the techniques that make this possible secret. Much of that changed overnight, when a security researcher published this slide deck to Github. "It basically gives a how-to guide for people to make their own RCE," independent research Marcus Hutchins told Ars, using the abbreviation for remote code execution. "It's a pretty big deal given that now there is almost no bar to stop people publishing exploit code." The explainer significantly lowers the bar even to developers who are "not very skilled at all," Hutchins said. That's because it shows how to solve one of the most vexing problems in successfully gaining code execution from BlueKeep—successfully carrying out an exploitation technique known as a heap spray against the vulnerable remote desktop service.