News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • The sky is not falling: DejaBlue (aka BlueKeep II, III, IV, V) are not being exploited in the wild

    Home Forums AskWoody blog The sky is not falling: DejaBlue (aka BlueKeep II, III, IV, V) are not being exploited in the wild

    This topic contains 28 replies, has 16 voices, and was last updated by  WildBill 4 days, 8 hours ago.

    • Author
      Posts
    • #1907945 Reply

      woody
      Da Boss

      I’m hearing a lot of saber rattling, urging folks to install the latest Patch Tuesday patches to guard against the newly-discovered BlueKeep variants.
      [See the full post at: The sky is not falling: DejaBlue (aka BlueKeep II, III, IV, V) are not being exploited in the wild]

      6 users thanked author for this post.
    • #1907952 Reply

      opti1
      AskWoody Plus

      Is that what this article on CNN is referring to?
      Microsoft warns Windows 10 users to update immediately
      https://www.cnn.com/2019/08/14/tech/windows-10-microsoft-security-update-trnd/index.html

      • This reply was modified 5 days, 8 hours ago by  opti1.
      1 user thanked author for this post.
      • #1907957 Reply

        Susan Bradley
        AskWoody MVP
        • #1908026 Reply

          WildBill
          AskWoody Plus

          You are Correct, Patch Lady. Kelly is a Chicken Little reporter who says “the sky is falling”. At least he gets his facts right, which is more than I can say for Jordan Valinsky (CNN) with a similar story. I still wonder if Kelly and/or Valinsky are being paid by Micro$oft to start a panic & get people to update ASAP. Yes, it’s a conspiracy theory & it holds as much water as the Clinton/Trump ones about Jeffrey Epstein’s death.

          Windows 8.1, 64-bit, now in Group B!
          Wild Bill Rides Again...

      • #1907986 Reply

        Philomene123
        AskWoody Plus

        Same concern for me.  Is it urgent to patch? I am sick, at home, my brain is like jello LOL not the best day do deal with MS patches!   on a family version, updates are totally  blocked, because 1903 wants to install.

        please, I need clear as crystal explanations if I may ask! Thanks!

      • #1908001 Reply

        opti1
        AskWoody Plus

        @pkcano – thanks for confirming DEFCON-2 for this.

        Follow-up FYI –

        The CNN article appears to be misleading. It says ONLY Windows 10 is affected and specifically mentions that all other versions of Windows are NOT affected.

        The Forbes article links to Microsoft’s Security Response Center article which says ALL versions of Windows are affected and lists them.

        • This reply was modified 5 days, 6 hours ago by  opti1.
        • #1908024 Reply

          WildBill
          AskWoody Plus

          The Forbes article does include all affected versions of Windows. The author, Gordon Kelly, however, seems to be reliving the Y2K Panic days. His lede: “Windows users, stop what you’re doing because Microsoft has issued a critical warning across all versions of its platforms, including every version of Windows 10, and told users they must act now.” BTW, the ZDNet article he linked to did have “A RACE TO PATCH BEFORE ATTACKS GET UNDERWAY“, but it was a section header, not a “warning” as Kelly frames it. The ZDNet article is fairly even-handed, IMO, & not panicky at all.

          As for CNN, my take; calling an apple a banana: #1907915. Paying attention to Woody, all the MVP’s & Bosses, & especially to MS-DEFCON 2.

          Windows 8.1, 64-bit, now in Group B!
          Wild Bill Rides Again...

          • This reply was modified 5 days, 5 hours ago by  WildBill. Reason: Punctuation
          1 user thanked author for this post.
          • #1908085 Reply

            GoneToPlaid
            AskWoody Plus

            Yes, all Windows including XP and above.

            • #1908203 Reply

              Alex5723
              AskWoody Plus

              Yes, all Windows including XP and above.

              Not XP.

            • #1908262 Reply

              anonymous

              According to what Microsoft said, “Windows XP, Windows Server 2003, and Windows Server 2008 are not affected, nor is the Remote Desktop Protocol (RDP) itself affected”.  I infer from this that Vista is also unaffected because of what it shares with Server 2008.

    • #1908062 Reply

      JohnH
      AskWoody Plus

      Hey Woody, Ms Bradley et al: what about this issue: https://www.theregister.co.uk/2019/08/13/windows_notepad_flaw/

      • #1908124 Reply

        woody
        Da Boss

        Tavis has done a great sleuthing job. But it’s not currently being exploited and it’s officially “Less likely” to be exploited and “Important,” not “Go out and fix it now.”

    • #1908273 Reply

      anonymous

      And even if they would be exploited, thinking that for people who practice safe (enough) computing, the risks of patching outweigh those of not patching more and more. Have some sense of where not to stick your browser and what not to run and use some decent security software, including a firewall blocking all inbound connections and prompting about anything outbound not matching existing rules, and even more so if said software also has HIPS that will notify of unusual activity even if not directly caught as malicious (which may well be the case if a trusted process is being exploited), and end of support for Win 7 may even be a good thing. Not forever, and not if you want new hardware sadly, but for up to a couple of years, if you keep that computer? Sure starting to seem like it.

      — Cavalary

    • #1908313 Reply

      John
      AskWoody Lounger

      The fear factor get’s a lot of reads these days. Some titles make it sound like all users are facing impending doom unless they update. When none of it is actively exploited just the typically lab developed proof of concept. I don’t bother reading any of it except to make myself aware of the potential threat. We’ve experienced this since the whole Spectre/Meltdown hysteria.

      2 users thanked author for this post.
    • #1908330 Reply

      jabeattyauditor
      AskWoody Lounger

      Just wondering – how much lead time did folks have when wannacry exploits went live?

      (I know the explosion of the worm itself didn’t happen till well after patches were available, but I can’t remember if most folks had advance notice that exploits were in use before it became a nightmare.)

      2 users thanked author for this post.
      • #1908334 Reply

        woody
        Da Boss

        Short answer: Two months.

        WannaCry first appeared on May 12.

        Microsoft issued MS10-070, the EternalBlue patch, on March 14.

        2 users thanked author for this post.
        • #1908344 Reply

          jabeattyauditor
          AskWoody Lounger

          My question – how long before May 12 was it known that exploits were available?

          I know it was patched long before the explosion… like this latest round o’ happiness. Just wondering when you first raised the flag here that wannacry was a valid reason to patch. (How far in advance of the nastiness, in other words.)

          Just wondering how reasonable/rational it is to wait until exploits are known/circulating. Is there enough time at that point, or is it already too late?

          I really DO want your opinion; I’m not just stating mine.

          1 user thanked author for this post.
          • #1908384 Reply

            lurks about
            AskWoody Lounger

            Do not know what the lag between patch and release of an exploit will be, if an exploit is released to the wild. The point is often there is no immediate threat for an issue so patching does not need to done stat. It just needs to be done in the next few weeks. Watch the DEFCON level for when to patch.

            The regular press traditionally does a miserable job of covering tech issues. And often they like to use click bait headlines to grab views with sensationalized stories. Too often they will report on a possible threat as being extremely nasty. But when you read what is required (often physical access to the computer) you wonder just how nasty the problem really is for a normal user; often almost nil.

            1 user thanked author for this post.
            • #1908398 Reply

              jabeattyauditor
              AskWoody Lounger

              I’ve been working in this industry since 1987; understanding the tension between FUD and Woody’s DEFCON system isn’t the issue.

    • #1908332 Reply

      woody
      Da Boss

      Meh. I was just watching a CNN news brief – and even THEY are telling people that they have to get Windows patched right now. On a news brief.

      2 users thanked author for this post.
      • #1908347 Reply

        WildBill
        AskWoody Plus

        Boss Man, I’m sure this is a conspiracy theory that’s as credible as the Clinton/Trump ones about Jeffrey Epstein’s death… but could Micro$oft have paid CNN to start a Y2K-like panic? To convince more people, especially Win10 users, to click “Check for updates”?! I’m glad I’m waiting for the all-clear… to upgrade to 1909 AKA 19H2 AKA “1903 Service Pack”!

        Windows 8.1, 64-bit, now in Group B!
        Wild Bill Rides Again...

        • #1908431 Reply

          anonymous

          Can users disable the remote desktop services if they are never used for that method of system administration, is it an effective mitigation for these exploits?

          • #1908447 Reply

            Microfix
            Da Boss

            RDP isn’t on by default but you could block port 3389 via firewall inbound/outbound connections to satisfy the need for doing something.
            I’ve done it on all our windows systems with no ill effects.

            ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

    • #1908410 Reply

      anonymous

      Patching is looking to be necessary this month but won’t be a silver bullet fix.  Why? Bluekeep?  Pfft, no.  Look up ctfmon issue.  CVE-2019-1162 cover this issue.  Proof of concept was just released in the last couple days.

      From my understanding ctfmon will need to be rebuilt from the ground up as, right now, it allows an attack to bypass most to all local security on a Windows system.

      1 user thanked author for this post.
      • #1908439 Reply

        Microfix
        Da Boss

        I’m sure I used to disable ctfmon in Windows XP Pro as it was disclosed back then, as being a potential issue. Done that thru XPAntispy utility which replaced ctfmon with a dummy file instead IIRC

        ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

    • #1908449 Reply

      Mr. Natural
      AskWoody Plus

      Well I guess the good news is we’ll have a lot more beta testers this month.  🙂

      Red Ruffnsore reporting from the front lines.

      • #1908450 Reply

        WildBill
        AskWoody Plus

        Especially from the Nervous Nellies reacting to the CNN & Forbes panic stories…

        Windows 8.1, 64-bit, now in Group B!
        Wild Bill Rides Again...

        1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: The sky is not falling: DejaBlue (aka BlueKeep II, III, IV, V) are not being exploited in the wild

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.