
Windows 10 Urgent Update - danseagrave
https://www.cnn.com/2019/08/14/tech/windows-10-microsoft-security-update-trnd/index.html
======
enzanki_ars
CVE-2019-1182: [https://portal.msrc.microsoft.com/en-US/security-
guidance/ad...](https://portal.msrc.microsoft.com/en-US/security-
guidance/advisory/CVE-2019-1182)

Slightly more technical information from Wired:
[https://www.wired.com/story/dejablue-windows-bugs-worm-
rdp/](https://www.wired.com/story/dejablue-windows-bugs-worm-rdp/)

TL;DR: Remote Code Execution via RDP on all windows versions, including 7 and
10.

Wired Quote:

> "Microsoft today warned Windows users of seven new vulnerabilities in
> Windows that, like BlueKeep, can be exploited via RDP, a tool that lets
> administrators connect to other computers in a network. Of those seven bugs,
> Microsoft's advisory emphasized that two are particularly serious; like
> BlueKeep, they could be used to code an automated worm that jumps from
> machine to machine, potentially infecting millions of computers."

> "Unlike BlueKeep, however, the new bugs—half-jokingly named DejaBlue by
> security researchers tracking it—don't merely affect Windows 7 and earlier,
> as the earlier RDP vulnerability did. Instead, it affects Windows 7 and
> beyond, including all recent versions of the operating system."

~~~
groovybits
Thinking of this in context to Win7 EOL approaching:

I imagine the type of people who have RDP publicly exposed are the same type
of people who will not be upgrading from Win7 anytime soon.

I suspect we will see many exploits of this to come.

~~~
londons_explore
Microsoft really ought to develop their own worm, and use it to patch the
flaw.

They can release it on the same day as the regular updates, and scan the whole
IPv4 address space every hour.

That way, the pool of unpatched machines will be so tiny it isn't worth evil
people trying to exploit it.

~~~
groovybits
Its the same threat vector as BlueKeep, so I would imagine the prime
exploitation window for Win7 (which was/is vulnerable to both) has already
passed.

A quick Shodan query already does what you're thinking.

------
Someone1234
Only if you have Remote Desktop Connection (RDS) enabled and exposed to the
open internet. Which you shouldn't.

To quote the CVE:

> Disable Remote Desktop Services if they are not required.

#

> Block TCP port 3389 at the enterprise perimeter firewall

If you're using a VPN or RD Gateway which have been best practice for tens of
years, you're already insulated. I'd still patch but outside of business
hours.

~~~
cptskippy
I know people do that, what with cloud based VMs and all, but still... I don't
get it.

~~~
supernintendo
It’s usually to run some old, proprietary software that only has a Windows
version.

~~~
AnIdiotOnTheNet
"Old, proprietary software" describes something like 80% of all the software
keeping the modern world going.

~~~
AstralStorm
Some of it is new software. South Korean love of ActiveX for example, a
technology dead for at least 10 years. Still getting new stuff written.

On the contrary, most critical software is plenty new - things like MS Office.
Still bound to Windows.

The remaining systems rely on truly custom software and should be either
airgapped (so no RDP) or rewritten. I'm thinking industrial - they should've
planned for this many years beforehand. There were instances back when Windows
XP was the main driver.

------
AstralStorm
I had a feeling something like that was lurking which is why the roll-up was
visible but not distributed yet by Windows Update.

They were testing it for corporate users...

------
hermitdev
Anyone know if the latest insider ring builds are affected, or what the
minimum build number is to have the fix? I'm currently on build 18956 at
home...

