Heads up: A free, working exploit for BlueKeep just hit

[Karlston]

Heads up: A free, working exploit for BlueKeep just hit

If you haven’t yet installed the May Windows patches (yes, May), your machine just inherited a giant “Kick me” sign.

Thinkstock/Microsoft

There’s been a lot of discussion about BlueKeep, its ramifications and various strategies for blocking it. In a nutshell, it’s a security hole in the Windows Remote Desktop Protocol that allows a malicious program to enter your machine – if you have Remote Dekstop turned on, it’s accessible directly from the internet, and you haven’t installed the May patches.

 

Two weeks ago, Susan Bradley posted a CSO article that details ways admins can  avoid using RDP. I’ve seen reams of advice about blocking ports, disabling services, setting authentication levels, deploying voodoo dolls, reading chicken entrails…, but the simplest way for almost everybody to avoid the problem is to install the May (or later) Windows patches.

 

Earlier today, Kevin Beaumont – who I consider to be a world-class authority on the subject – posted this warning:

The first public, free #BlueKeep exploit is out in Metasploit now.

He, in turn, points to this article by Brent Cook on the Rapid7 site:

By default, Metasploit’s BlueKeep exploit only identifies the target operating system version and whether the target is likely to be vulnerable. The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation. If the module is interrupted during exploitation, or if the incorrect target is specified, the target will crash with a bluescreen. Users should also note that some elements of the exploit require knowledge of how Windows kernel memory is laid out, which varies depending on both OS version and the underlying host platform (virtual or physical); the user currently needs to specify this correctly to run the exploit successfully. Server versions of Windows also require a non-default configuration for successful exploitation—namely, changing a registry setting to enable audio sharing. This limitation may be removed in the future.

So the next worm isn’t yet a massive threat – but you can bet that it will be. Soon.

 

Get the May (or later) Windows patches applied. Now.

 

Thx @NetDef

 

More on AskWoody.

 

 

 

Source: Heads up: A free, working exploit for BlueKeep just hit (Computerworld - Woody Leonhard)

[Karlston]

UPDATE: Kevin says he wouldn’t call it “defanged” — and he has a good point. I probably should’ve called it “unable to reproduce.” But don’t let that keep you from getting patched.

 

UPDATE: Good coverage from Catalin Cimpanu at ZDnet.

 

ANOTHER UPDATE: The released exploit “only works against 64-bit versions of Windows 7 and Windows 2008 R2, but not the other Windows versions that were also vulnerable to BlueKeep,” per Cimpanu.

 

ANOTHER UPDATE: From Kevin

 

 

 

Source: Heads up: There’s a working, free (but stunted) BlueKeep exploit making the rounds (AskWoody - Woody Leonhard)

[frankl1n]

Seems that even if you only do the security update roll ups every month, and as long as the May 2019 patch was installed, then no worries. Just remember that these monthly security roll ups are not cumulative! May is the important patch for this particular exploit.