It’s not every day that the National Security Agency urges you to update your computer.
Three weeks ago, a critical Windows security vulnerability known as BlueKeep was revealed and fixed. In that short time, Microsoft has repeatedly begged users of older Windows versions to make sure their machines are up to date. The company even released fixes for Windows XP, Server 2003, and Vista—a slate of unsupported operating systems that usually don’t get much attention.
Now, it’s an American intelligence agency echoing Microsoft.
“Recent warnings by Microsoft stressed the importance of installing patches to address a protocol vulnerability in older versions of Windows,” the NSA advisory read. “Microsoft has warned that this flaw is potentially ‘wormable,’ meaning it could spread without user interaction across the internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.”
Here’s NSA’s Rob Joyce on Twitter:
— Rob Joyce (@RGB_Lights) June 4, 2019
In addition to its more famous offensive mission of global electronic surveillance, the NSA is also tasked with defending U.S. networks. The NSA’s Cybersecurity Requirement Center authored the advisory, which listed out impacted systems and directions for mitigation.
Microsoft’s warning compares BlueKeep to WannaCry, the notorious 2017 ransomware worm allegedly developed by North Korea that infected hundreds of thousands of computers and cause millions of dollars in damage.
Although BlueKeep affects mostly older Windows versions, there are millions of old, unsupported Windows machines still out there—and, believe it or not, still being used in important places. It’s not unheard of for an American energy company, for instance, to have a Windows XP machine somewhere on the network. That’s when using an old machine becomes a vulnerability to critical infrastructure. The Defense Department is also famous for its use of ancient Windows machines.
“Although Microsoft has issued a patch, potentially millions of machines are still vulnerable,” the NSA wrote.
“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks,” it added. “It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”