It has been nine days since Microsoft patched the high-severity vulnerability known as BlueKeep, and yet the dire advisories about its potential to sow worldwide disruptions keep coming.
Until recently, there was little independent corroboration that exploits could spread virally from computer to computer in a way not seen since the WannaCry and NotPetya worms shut down computers worldwide in 2017. Some researchers felt Microsoft has been unusually tight-lipped with partners about this vulnerability, possibly out of concern that any details, despite everyone's best efforts, might hasten the spread of working exploit code.
Until recently, researchers had to take Microsoft's word the vulnerability was severe. Then five researchers from security firm McAfee reported last Tuesday that they were able to exploit the vulnerability and gain remote code execution without any end-user interaction. The post affirmed that CVE-2019-0708, as the vulnerability is indexed, is every bit as critical as Microsoft said it was.
"There is a gray area to responsible disclosure," the researchers wrote. "With our investigation we can confirm that the exploit is working and that it is possible to remotely execute code on a vulnerable system without authentication."
Further Reading:
https://arstechnica.com/information-technology/2019/05/microsoft-warns-wormable-windows-bug-could-lead-to-another-wannacry/
Entry in the "Common Vulnerabilities and Exposures" database: CVE-2019-0708.
(Score: 1, Informative) by Anonymous Coward on Saturday May 25 2019, @11:31AM (6 children)
It's a shame so many of us stopped trusting Microsoft's "security updates" after they started using Windows Update as a vector for their own malware injections.
(Score: 3, Insightful) by jmorris on Saturday May 25 2019, @02:08PM (5 children)
This. Microsoft needs to distribute a small standalone patch for something this bad, because in a choice of install a rollup that WILL infect a system vs try to turn off remote desktop and pray, praying is the smarter move.
Take a look at the list of updates to avoid if you don't want "telemetry" installed. 38 patches, about half with utterly innocent descriptions about new time zones, currency changes, etc. And a side of telemetry.
(Score: 2) by Reziac on Sunday May 26 2019, @02:52AM (4 children)
They did.
https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708 [microsoft.com]
BTW, I got notification via their RSS feed.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by jmorris on Sunday May 26 2019, @04:27PM (3 children)
Look again, that table only lists obsolete systems where the update servers have been shut down. Windows 7 is still supported and no update, just a rollup. They really will hold a remote exploit over users heads to try to force them into accepting malware.
(Score: 2) by Reziac on Monday May 27 2019, @08:55PM (2 children)
Nope, I downloaded and installed the update for WinXP. It's there, in fact in several flavors (embedded, XP64, etc.)
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by jmorris on Tuesday May 28 2019, @03:32AM (1 child)
Xp != 7
(Score: 2) by Reziac on Tuesday May 28 2019, @04:59AM
Try this one.
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0708 [microsoft.com]
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4499175 [microsoft.com]
And there is no Alkibiades to come back and save us from ourselves.