Newsletter Archives

• BlueKeep now being used in attacks – but the sky isn’t falling

  Posted on November 3, 2019 at 07:25 CST by woody • Comment in the Forums

  Remember BlueKeep – the “wormable” monster infection that was supposed to take over the Windows world?

  Two months ago, I warned that there was a working exploit making the rounds.

  We finally saw a slightly modified version of that Metasploit exploit used in a for-real infection. Except it isn’t nearly as scary as originally projected, doesn’t operate as a worm, and isn’t exactly taking the world by storm.

  Kevin Beaumont found evidence of the infection in some honeypots he set up – but had stopped monitoring.

  https://twitter.com/GossiTheDog/status/1190654984553205761

  As expected, folks who have either disabled RDP or blocked port 3389 are fine. Still…

  Word to the wise: If you haven’t updated your Win7 or Server 2008/Server 2008R2 machine since May, you better get on the stick.

  See, there’s a reason why you have to update sooner or later.

  Full details from Catalin Cimpanu at ZDNet. Thx GoneToPlaid (who just had a Tesla mode named after him).

  UPDATE:

  https://twitter.com/GossiTheDog/status/1191148135344693248

  Windows Patches/Security BlueKeep

• Heads up: There’s a working, free (but stunted) BlueKeep exploit making the rounds

  Posted on September 6, 2019 at 13:23 CDT by woody • Comment in the Forums

  Remember BlueKeep? That’s the wormable hole in Windows Remote Desktop. We’ve talked about it a lot since it first came up in May.

  @NetDef just posted a link to Kevin Beaumont’s tweet:

  https://twitter.com/GossiTheDog/status/1170014744176148481

  If you haven’t patched since May — or if you’re installing manual, security-only patches and somehow skipped May — get off your duff now.

  Details in Computerworld Woody on Windows.

  UPDATE: Kevin says he wouldn’t call it “defanged” — and he has a good point. I probably should’ve called it “unable to reproduce.” But don’t let that keep you from getting patched.

  UPDATE: Good coverage from Catalin Cimpanu at ZDnet.

  ANOTHER UPDATE: The released exploit “only works against 64-bit versions of Windows 7 and Windows 2008 R2, but not the other Windows versions that were also vulnerable to BlueKeep,” per Cimpanu.

  ANOTHER UPDATE: From Kevin

  https://twitter.com/GossiTheDog/status/1170051213825646595

  Windows Patches/Security BlueKeep

• August updates still dribbling in

  Posted on September 2, 2019 at 01:05 CDT by Tracey Capen • Comment in the Forums

  PATCH WATCH

  By Susan Bradley

  With August rapidly coming to a close, it’s time to review the status of Windows exploits and any lingering patch side effects.

  The Remote Desktop Protocol (RDP) threats — BlueKeep and the follow-on DejaBlues — are still missing in action. To my knowledge, there are no in-the-wild attacks using the original BlueKeep or this month’s BlueKeep II and BlueKeep III.

  Read the full story in AskWoody Plus Newsletter 16.31.0 (2019-09-02).

  Patch Watch AskWoody Plus Newsletter, BlueKeep, Office updates, Remote Desktop, Windows patching

• DejaBlue update: We’re still safe.

  Posted on August 17, 2019 at 10:05 CDT by woody • Comment in the Forums

  https://twitter.com/GossiTheDog/status/1162661131070136320

  Windows Patches/Security BlueKeep, DejaBlue

• The sky is not falling: DejaBlue (aka BlueKeep II, III, IV, V) are not being exploited in the wild

  Posted on August 14, 2019 at 14:55 CDT by woody • Comment in the Forums

  I’m hearing a lot of saber rattling, urging folks to install the latest Patch Tuesday patches to guard against the newly-discovered BlueKeep variants. One blog says, “So patch your PCs and spread the word. Millions of users around the world refuse to update their versions of Windows but, in this case, the threat is immediate, viral and very real.”

  Horsepucky.

  Permit me to remind you that BlueKeep itself hasn’t been reliably exploited. The threat is real, but it’s not viral or immediate.

  That said, Kevin Beaumont thinks these new exploits may be able to circumvent Microsoft’s recommended “mitigation”: NLA may not break the infection chain.

  I’ll be keeping a close eye on developments. In the meantime, I still don’t see any pressing reason to install this month’s patches — and I’m seeing more and more reports of bugs.

  We’re still at MS-DEFCON 2.

  Windows Patches/Security August 2019 Black Tuesday, BlueKeep

• The BlueKeep situation gets murkier

  Posted on August 1, 2019 at 06:39 CDT by woody • Comment in the Forums

  There have been rumors for the past two weeks that there’s a working BlueKeep exploit on the darkweb. We’ve been fielding (and blocking) many posts on AskWoody claiming that the BlueKeep exploit is real and living in the ooze.

  Catalin Cimpanu (who, along with Kevin Beaumont, are my guiding lights on the topic) just posted a response to an inquiry from Kirsty:

  https://twitter.com/campuscodi/status/1156883469131288579

  This is coming to a head because @zerosum0x0 now claims to have cracked the problem and handed all of his info over to Metasploit. If that’s true, and Metasploit publishes it (by no means a done deal, on either count), it could mean that we’re closer to a real, live BlueKeep worm.

  Windows Patches/Security BlueKeep

• Even though there’s a BlueKeep exploit for sale, it doesn’t work very well – doesn’t propagate, for example

  Posted on July 29, 2019 at 09:37 CDT by woody • Comment in the Forums

  Catalin Cimpanu wrote in ZDNet on Friday that there’s a “weaponized” BlueKeep exploit available if you have the cash.

  (More BlueKeep info here.)

  There are several reasons why I didn’t raise the alarm, among them one comment from the folks selling the “pen test” exploit:

  our version is not self-propagating (a worm)

  It’s ostensibly only used to test your system to see if it’s vulnerable to BlueKeep-style exploits.

  A couple of hours ago, Kevin Beaumont (who invented the name “BlueKeep” and is following it intently) reinforced my reticence:

  https://twitter.com/GossiTheDog/status/1155808509499514880

  Still nothing to worry about. But for heavens sake, if you run a Win7, Vista, XP or related server, and you haven’t installed any patches since May, you need to get patched NOW.

  Windows Patches/Security BlueKeep

• BlueKeep is almost here. If you haven’t installed Win7/XP patches since May, get your systems patched!

  Posted on July 25, 2019 at 11:00 CDT by woody • Comment in the Forums

  https://twitter.com/campuscodi/status/1154317144173273088

  https://twitter.com/GossiTheDog/status/1154325804060479489

   

  Windows Patches/Security BlueKeep
• « Older Entries