The sky is not falling: DejaBlue (aka BlueKeep II, III, IV, V) are not being exploited in the wild

Topic

New Reply

I’m hearing a lot of saber rattling, urging folks to install the latest Patch Tuesday patches to guard against the newly-discovered BlueKeep variants.
[See the full post at: The sky is not falling: DejaBlue (aka BlueKeep II, III, IV, V) are not being exploited in the wild]

6 users thanked author for this post.

wdburt1, Pim, geekdom, Philomene123, GreatAndPowerfulTech

Reply | Quote

Replies

[opti1]

Is that what this article on CNN is referring to?
Microsoft warns Windows 10 users to update immediately
https://www.cnn.com/2019/08/14/tech/windows-10-microsoft-security-update-trnd/index.html

• This reply was modified 5 years, 8 months ago by opti1.

1 user thanked author for this post.

WildBill

Reply | Quote

https://www.forbes.com/sites/gordonkelly/2019/08/13/microsoft-windows-10-upgrade-new-bluekeep-critical-warning-upgrade-windows/#20df78177e1b

That too.

 

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

WildBill

Reply | Quote

You are Correct, Patch Lady. Kelly is a Chicken Little reporter who says “the sky is falling”. At least he gets his facts right, which is more than I can say for Jordan Valinsky (CNN) with a similar story. I still wonder if Kelly and/or Valinsky are being paid by Micro$oft to start a panic & get people to update ASAP. Yes, it’s a conspiracy theory & it holds as much water as the Clinton/Trump ones about Jeffrey Epstein’s death.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

Same concern for me.  Is it urgent to patch? I am sick, at home, my brain is like jello LOL not the best day do deal with MS patches!   on a family version, updates are totally  blocked, because 1903 wants to install.

please, I need clear as crystal explanations if I may ask! Thanks!

Reply | Quote

We are on DEFCON-2. There are no exploits in the wild at this time.
There is no immediate need to patch.
WAIT!

4 users thanked author for this post.

rc primak, Philomene123, woody, WildBill

Reply | Quote

Your personal health is always more important than the health of a computer.  Get some rest, man.

4 users thanked author for this post.

rc primak, Pim, Philomene123, WildBill

Reply | Quote

[opti1]

@PkCano – thanks for confirming DEFCON-2 for this.

Follow-up FYI –

The CNN article appears to be misleading. It says ONLY Windows 10 is affected and specifically mentions that all other versions of Windows are NOT affected.

The Forbes article links to Microsoft’s Security Response Center article which says ALL versions of Windows are affected and lists them.

• This reply was modified 5 years, 8 months ago by opti1.

Reply | Quote

[WildBill]

The Forbes article does include all affected versions of Windows. The author, Gordon Kelly, however, seems to be reliving the Y2K Panic days. His lede: “Windows users, stop what you’re doing because Microsoft has issued a critical warning across all versions of its platforms, including every version of Windows 10, and told users they must act now.” BTW, the ZDNet article he linked to did have “A RACE TO PATCH BEFORE ATTACKS GET UNDERWAY“, but it was a section header, not a “warning” as Kelly frames it. The ZDNet article is fairly even-handed, IMO, & not panicky at all.

As for CNN, my take; calling an apple a banana: #1907915. Paying attention to Woody, all the MVP’s & Bosses, & especially to MS-DEFCON 2.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

• This reply was modified 5 years, 8 months ago by WildBill. Reason: Punctuation

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

Yes, all Windows including XP and above.

Reply | Quote

GoneToPlaid wrote:

Yes, all Windows including XP and above.

Not XP.

Reply | Quote

According to what Microsoft said, “Windows XP, Windows Server 2003, and Windows Server 2008 are not affected, nor is the Remote Desktop Protocol (RDP) itself affected”.  I infer from this that Vista is also unaffected because of what it shares with Server 2008.

Reply | Quote

Hey Woody, Ms Bradley et al: what about this issue: https://www.theregister.co.uk/2019/08/13/windows_notepad_flaw/

Reply | Quote

Tavis has done a great sleuthing job. But it’s not currently being exploited and it’s officially “Less likely” to be exploited and “Important,” not “Go out and fix it now.”

Reply | Quote

And even if they would be exploited, thinking that for people who practice safe (enough) computing, the risks of patching outweigh those of not patching more and more. Have some sense of where not to stick your browser and what not to run and use some decent security software, including a firewall blocking all inbound connections and prompting about anything outbound not matching existing rules, and even more so if said software also has HIPS that will notify of unusual activity even if not directly caught as malicious (which may well be the case if a trusted process is being exploited), and end of support for Win 7 may even be a good thing. Not forever, and not if you want new hardware sadly, but for up to a couple of years, if you keep that computer? Sure starting to seem like it.

— Cavalary

Reply | Quote

The fear factor get’s a lot of reads these days. Some titles make it sound like all users are facing impending doom unless they update. When none of it is actively exploited just the typically lab developed proof of concept. I don’t bother reading any of it except to make myself aware of the potential threat. We’ve experienced this since the whole Spectre/Meltdown hysteria.

2 users thanked author for this post.

Steve, WildBill

Reply | Quote

Just wondering – how much lead time did folks have when wannacry exploits went live?

(I know the explosion of the worm itself didn’t happen till well after patches were available, but I can’t remember if most folks had advance notice that exploits were in use before it became a nightmare.)

2 users thanked author for this post.

WildBill, geekdom

Reply | Quote

Short answer: Two months.

WannaCry first appeared on May 12.

Microsoft issued MS10-070, the EternalBlue patch, on March 14.

2 users thanked author for this post.

WildBill, geekdom

Reply | Quote

My question – how long before May 12 was it known that exploits were available?

I know it was patched long before the explosion… like this latest round o’ happiness. Just wondering when you first raised the flag here that wannacry was a valid reason to patch. (How far in advance of the nastiness, in other words.)

Just wondering how reasonable/rational it is to wait until exploits are known/circulating. Is there enough time at that point, or is it already too late?

I really DO want your opinion; I’m not just stating mine.

1 user thanked author for this post.

geekdom

Reply | Quote

Do not know what the lag between patch and release of an exploit will be, if an exploit is released to the wild. The point is often there is no immediate threat for an issue so patching does not need to done stat. It just needs to be done in the next few weeks. Watch the DEFCON level for when to patch.

The regular press traditionally does a miserable job of covering tech issues. And often they like to use click bait headlines to grab views with sensationalized stories. Too often they will report on a possible threat as being extremely nasty. But when you read what is required (often physical access to the computer) you wonder just how nasty the problem really is for a normal user; often almost nil.

1 user thanked author for this post.

WildBill

Reply | Quote

I’ve been working in this industry since 1987; understanding the tension between FUD and Woody’s DEFCON system isn’t the issue.

Reply | Quote

Meh. I was just watching a CNN news brief – and even THEY are telling people that they have to get Windows patched right now. On a news brief.

2 users thanked author for this post.

lurks about, WildBill

Reply | Quote

Boss Man, I’m sure this is a conspiracy theory that’s as credible as the Clinton/Trump ones about Jeffrey Epstein’s death… but could Micro$oft have paid CNN to start a Y2K-like panic? To convince more people, especially Win10 users, to click “Check for updates”?! I’m glad I’m waiting for the all-clear… to upgrade to 1909 AKA 19H2 AKA “1903 Service Pack”!

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

Can users disable the remote desktop services if they are never used for that method of system administration, is it an effective mitigation for these exploits?

Reply | Quote

RDP isn’t on by default but you could block port 3389 via firewall inbound/outbound connections to satisfy the need for doing something.
I’ve done it on all our windows systems with no ill effects.

Windows - commercial by definition and now function...

Reply | Quote

Patching is looking to be necessary this month but won’t be a silver bullet fix.  Why? Bluekeep?  Pfft, no.  Look up ctfmon issue.  CVE-2019-1162 cover this issue.  Proof of concept was just released in the last couple days.

From my understanding ctfmon will need to be rebuilt from the ground up as, right now, it allows an attack to bypass most to all local security on a Windows system.

1 user thanked author for this post.

Microfix

Reply | Quote

I’m sure I used to disable ctfmon in Windows XP Pro as it was disclosed back then, as being a potential issue. Done that thru XPAntispy utility which replaced ctfmon with a dummy file instead IIRC

Windows - commercial by definition and now function...

Reply | Quote

Well I guess the good news is we’ll have a lot more beta testers this month. 

Red Ruffnsore

Reply | Quote

Especially from the Nervous Nellies reacting to the CNN & Forbes panic stories…

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

1 user thanked author for this post.

rc primak

Reply | Quote