Newsletter Archives

  • Another patching debacle — how we got here


    By Woody Leonhard

    Frantic moves to fix this month’s Windows-update bugs highlight the dark underbelly of Microsoft’s patching strategy.

    August patches have been flying around like salmon in Seattle’s Pike Place Market. Now that the major bugs are fixed — for the most part — it’s time to look at what happened and speculate on whether this type of debacle can be avoided in the future.

    Here’s the short version of events.

    Read the full story in AskWoody Plus Newsletter 16.30.0 (2019-08-26).

  • Patch Lady – How to avoid using RDP in Windows

    An important new article from Susan Bradley in CIO Online:

    BlueKeep and DejaBlue are both potent threats. All of the variants depend on using Remote Desktop Services (commonly abbreviated RDP). Susan Bradley takes you through the steps to avoid or hide RDP, particularly in an enterprise.

    I still recommend that you not install the August Windows patches, which include DejaBlue fixes, specifically because they’re throwing errors like flowers at a wedding. (The May patches for BlueKeep are another story entirely. You should’ve installed those long ago.) But if you have RDP enabled on an internet-facing connection, it’s time to shut it off.

    Those of you connected to corporate servers should follow Susan’s advice and figure out an alternative to public-facing RDP. Those of you with standalone computers can take a couple of simple steps:

    In Vista or Win7, click My Computer and choose Computer. At the top, click System properties. On the left, click Remote Settings. You should be on the Remote tab, and the button under Remote Desktop marked “Don’t allow connections to this computer” should be selected. If it isn’t, click it and click OK.

    In Win10, right-click Start and choose System. On the left, choose Remote Desktop. Make sure the slider to Enable Remote Desktop is set Off.

    I’m not going to guarantee that those simple steps will ward off the Blue Evil Eyes, if and when they appear. But they’ll make breaking your system with the Blues just that much harder.

    If you need to get into your system remotely, there are dozens of alternatives. I use the free Chrome Remote Desktop, but my needs are tiny and I’m not overly concerned about Google snooping me even more. If you want the Tesla version, check out Solarwinds from Dameware. – which is $380 per site.

  • Still no DejaBlue exploits generally available

    And, in spite of what you’ve read, there are no DejaBlue attacks in the offing. Lots of people have posted “Proof of Concept” code on GitHub. A couple of bluescreen generators, but none of the publicly available exploits actually work.

    @MalwareTech has a new blog post analyzing the two DejaBlue CVEs:

    In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7 to Windows 10. There is some confusion about which CVE is which, though it’s possible both refer to the same bug. The vulnerable code exist in both the RDP client and server, making it possible to exploit in either direction.

    His sample code crashes the system, but doesn’t infect.

  • DejaBlue update: We’re still safe.

  • Do you want to protect yourself against BlueKeep, or break Visual Basic?

    Gawd this is tiresome.

    If you read somewhere that you have to install the August patches, even though you read somewhere that you can’t install the August patches (e.g., if you use Juris), chill. The authors of those advisories are parroting things that they’ve read that they don’t understand.

    Installing patches right now is not a good idea. In very rare circumstances, you need to install a patch soon after it arrives. This isn’t one of those circumstances.

    Right now, we know for sure that these August patches break VB, VBA and VBScript in some situations. Günter Born has a good explainer, which points the finger at array handling. An anonymous follow-on post says it’s related to working with empty arrays.

    You’ll get hit if you’re using Raiser’s Edge, Financial Edge, Education Edge, Epic, Ivanti Workspace Control, or Juris. All have been mentioned by name in our forums.

    DejaBlue, on the other hand — BlueKeep II, III, IV and V — remain theoretical. They, like BlueKeep, will pose a threat at some point. But that point isn’t now.

    It looks like Metasploit is poised to add a BlueKeep module to its package at some point in the next week or two. You’re protected if you followed my instructions and have installed any Windows patch from May onward.

    Meanwhile, there are no credible reports that I can see of a BlueKeep infection. And DejaBlue? I haven’t heard of anything beyond bluescreens.

    Meanwhile, every local news show is telling people to patch now. Bah.