SoylentNews is people
SoylentNews
It has been nine days since Microsoft patched the high-severity vulnerability known as BlueKeep, and yet the dire advisories about its potential to sow worldwide disruptions keep coming.
Until recently, there was little independent corroboration that exploits could spread virally from computer to computer in a way not seen since the WannaCry and NotPetya worms shut down computers worldwide in 2017. Some researchers felt Microsoft has been unusually tight-lipped with partners about this vulnerability, possibly out of concern that any details, despite everyone's best efforts, might hasten the spread of working exploit code.
Until recently, researchers had to take Microsoft's word the vulnerability was severe. Then five researchers from security firm McAfee reported last Tuesday that they were able to exploit the vulnerability and gain remote code execution without any end-user interaction. The post affirmed that CVE-2019-0708, as the vulnerability is indexed, is every bit as critical as Microsoft said it was.
"There is a gray area to responsible disclosure," the researchers wrote. "With our investigation we can confirm that the exploit is working and that it is possible to remotely execute code on a vulnerable system without authentication."
Further Reading:
https://arstechnica.com/information-technology/2019/05/microsoft-warns-wormable-windows-bug-could-lead-to-another-wannacry/
Entry in the "Common Vulnerabilities and Exposures" database: CVE-2019-0708.
(Score: 3, Interesting) by shortscreen on Saturday May 25 2019, @07:23AM (20 children)
TFS doesn't say RDP but this sounds like the RDP vulnerability that I read about the other day.
Windows 2000 workstation doesn't have the RDP service so it looks like I'm going to miss out on this party :( Although since MS went to the trouble of releasing a patch for XP, I downloaded the patches in case I feel like updating my two laptops that came with different versions of Windows. But they're on the other side of the NAT so I guess no RDP packets are coming in anyway. (If I don't know what I'm talking about and someone wants to correct me that's fine too. It was always said that the quickest way to get information on USENET was to post something horribly wrong and then wait for the corrections to flood in.)
(Score: 3, Informative) by RS3 on Saturday May 25 2019, @08:04AM
You're probably okay if you're using a typical recent home gateway (router). You likely have "firewall" which means no ports are open to the Internet by default. Many gateways have pre-programmed packages of ports you can turn on for gaming, nanny-cams, etc. If you know how to get into the admin of the gateway, you can and should check this.
There's NAT in and a separate NAT out. You can have no open ports to the Internet, but when your computer sends a packet, the gateway will remember and open a port to receive the packets. NAT will translate the IP addresses and port numbers.
And it's very easy to turn RDP off in Windows. You can even disable the services to be sure it's off.
Usually the only worrisome port typically turned on in Windows is SMB / CIFS - Windows file sharing, and having that port open to the Internet would be disastrous if you have "server" or Windows file sharing turned on.
I'm sure others will add (or subtract!) from this...
(Score: 0) by Anonymous Coward on Saturday May 25 2019, @08:07AM (1 child)
Of course you're wrong. But no one else knows any better, so it's cool. ;^)
(Score: 0) by Anonymous Coward on Saturday May 25 2019, @01:38PM
Really? Maybe you should read this comment [soylentnews.org]
(Score: 0) by Anonymous Coward on Saturday May 25 2019, @08:38AM (16 children)
Yes. It's the RDP Vulnerability.
From https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 [microsoft.com] :
If port TCP/3389 is open through your firewall, you can be compromised with an exploit of this vulnerability.
(Score: 2) by ledow on Saturday May 25 2019, @10:33AM (15 children)
Not if you have NLA turned on (and why wouldn't you) - you'd then need to authenticate to the server properly in order to be able to do anything (i.e. it then becomes an "internal user only" attack).
And it seems to only affect 2008R2 and below... including Windows 7 (which is basically EOL, people, wake up).
(Score: 1, Informative) by Anonymous Coward on Saturday May 25 2019, @11:31AM (6 children)
It's a shame so many of us stopped trusting Microsoft's "security updates" after they started using Windows Update as a vector for their own malware injections.
(Score: 3, Insightful) by jmorris on Saturday May 25 2019, @02:08PM (5 children)
This. Microsoft needs to distribute a small standalone patch for something this bad, because in a choice of install a rollup that WILL infect a system vs try to turn off remote desktop and pray, praying is the smarter move.
Take a look at the list of updates to avoid if you don't want "telemetry" installed. 38 patches, about half with utterly innocent descriptions about new time zones, currency changes, etc. And a side of telemetry.
(Score: 2) by Reziac on Sunday May 26 2019, @02:52AM (4 children)
They did.
https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 [microsoft.com]
BTW, I got notification via their RSS feed.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by jmorris on Sunday May 26 2019, @04:27PM (3 children)
Look again, that table only lists obsolete systems where the update servers have been shut down. Windows 7 is still supported and no update, just a rollup. They really will hold a remote exploit over users heads to try to force them into accepting malware.
(Score: 2) by Reziac on Monday May 27 2019, @08:55PM (2 children)
Nope, I downloaded and installed the update for WinXP. It's there, in fact in several flavors (embedded, XP64, etc.)
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by jmorris on Tuesday May 28 2019, @03:32AM (1 child)
Xp != 7
(Score: 2) by Reziac on Tuesday May 28 2019, @04:59AM
Try this one.
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0708 [microsoft.com]
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4499175 [microsoft.com]
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by crafoo on Saturday May 25 2019, @11:35AM (2 children)
Win7 x64 was their last good operating system.
(Score: 3, Touché) by isostatic on Saturday May 25 2019, @12:55PM (1 child)
DOS6.22 called and wanted it's statements back
(Score: 3, Insightful) by hemocyanin on Saturday May 25 2019, @02:50PM
meh -- DR-DOS gave you more usable memory back in the day. Maybe 6.22 did too, I don't have any memory, but then, I didn't use MS-DOS after switching to DR-DOS.
(Score: 3, Insightful) by RS3 on Saturday May 25 2019, @04:21PM (4 children)
Which begs the question: is it okay (and even legal) for a company to be almost a monopoly, no strike that, just that a company charges for a horribly defective product, does some patching but NEVER fixes all of the bugs, and then tells you, in a patronizing way, that you have to buy a new one? Only to continue the cycle? I'd rather make them finish an OS before starting a new one. The only reason they're getting away with it is that Bill Gates made that original brilliant deal with IBM, and the courts didn't strike it down.
And why are you defending them?
Are you aware that this was a problem with the car companies long ago? And there were many brands to choose from- no monopoly. The US Govt. had to mandate that ALL car manufacturers had to provide parts and service for 10 years. And then later came the "lemon laws". How about "lemon laws" for OSes?
Let's face it- each new Windows was supposed to be completely different, right? I'm waiting for "completely different". MacOS and Linux are completely different. Each Windows version has been some slight (and annoying) changes, with different icons, colors, buttons, just to fool the masses. Nope, no dirty market manipulation there.
I think it's been said many times: as more and more applications are ported to a browser UI, the OS will be less and less relevant.
(Score: 2) by ledow on Saturday May 25 2019, @04:29PM (3 children)
Windows 7 is ten years old.
(Score: 3, Insightful) by RS3 on Saturday May 25 2019, @05:00PM (2 children)
Are you sure? I'm still getting updates, telling me it's an unfinished product. Do we start a product's lifetime at conception? Or Alpha? Or Beta? Or pre-release?
And why should 10 years be a thing for software? Cars wear out. Software does not.
Again, why are you defending this?
And Linux is almost 28.
(Score: 2) by Reziac on Sunday May 26 2019, @02:49AM (1 child)
And my linux install gets multiple updates every week. Clearly it is an unfinished product.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by RS3 on Sunday May 26 2019, @04:46AM
Features!
But seriously, you're not making a fair comparison. Linux is FREE. I paid my M$ tax and got swiss cheese. My free Linux is much more stable, and the community generally (GENERALLY) fixes bugs much faster than MS.
Do you own MS stock, or work for MS?
Look, truth be told, I understand the whole situation. An OS is enormously complex, and it's difficult to know all of the possible interactions with the very wide range of software out there. MS has done a truly stellar job of supporting older applications running on newer OS. They do many things well, esp. tutorials and example code. I just wish they'd commit to finishing an OS. Maybe they will with 10. Time will tell.