Windows Defender ‘BlueHammer’ vulnerability now exploited as part of malware campaigns — CISA issues warning despite patch release on April 14
Late spring and early summer in the cybersecurity world were marked by multiple Windows exploits, thanks to the efforts of the controversial hacker figure Nightmare Eclipse. One of the better-known exploits is BlueHammer, a race condition in Windows Defender that gets you a shell with access to the SYSTEM user with just a small script — in other words, the keys to the kingdom in exchange for a double-click. Microsoft released a patch on April 14, but as a clear illustration of the lack of cybersecurity awareness, CISA (the U.S. cyber-defense agency) yesterday marked BlueHammer as actively exploited in ransomware campaigns.
That marks about a month and a half since the patch, and it illustrates quite clearly that when it comes to computer security, the publication of a patch is almost always the easy part; getting that patch into every device that needs it is the real tricky bit. The patch is part of standard Windows updates, too, so there’s really no technical reason for not installing it. Additionally, since BlueHammer gets the attackers a SYSTEM shell, the ransomware in question may encrypt parts of the OS or the boot process rather than “just” the data files, potentially making machines unusable on top.
While stating that “people don’t patch their machines” is a broad statement that won’t surprise anyone in the field, a recent report from security vendor Absolute claims the application of critical OS patches across Windows 11 and 10 lags 127 days (over 4 months) on average, and that figure basically doubled since last year. Even in enterprise settings, Absolute says the average time-to-patch is shockingly high at 76 days, or 2.5 months. While one vendor’s claims aren’t gospel, the figures aren’t too hard to believe; plus, they’re averages, meaning half the machines purportedly go unpatched for longer than those timeframes.
Depending on the source, estimates on the percentage of Windows 10 machines can vary between 15% (PassMark) and 26% (StatCounter). Calling it 20% for simplicity’s sake, that’s 1 out of 5 machines almost guaranteed to be unpatched. Techies like us know full well that Microsoft has extended security updates (ESU) for Windows 10 twice now, with the new real EOL now being October 14, 2027. The problem is, although enrolling a machine into ESU is trivial, the lack of public awareness essentially guarantees these machines will remain vulnerable until they’re upgraded or replaced.
Meanwhile, Nightmare Eclipse says they’re “done with taking a break”, and that “July will be an incredibly interesting month because [they] will drop some really interesting and possibly insanely controversial findings.”
