Hacker News new | past | comments | ask | show | jobs | submit login
Windows 10 Urgent Update (cnn.com)
46 points by danseagrave 5 days ago | hide | past | web | favorite | 27 comments

CVE-2019-1182: https://portal.msrc.microsoft.com/en-US/security-guidance/ad...

Slightly more technical information from Wired: https://www.wired.com/story/dejablue-windows-bugs-worm-rdp/

TL;DR: Remote Code Execution via RDP on all windows versions, including 7 and 10.

Wired Quote:

> "Microsoft today warned Windows users of seven new vulnerabilities in Windows that, like BlueKeep, can be exploited via RDP, a tool that lets administrators connect to other computers in a network. Of those seven bugs, Microsoft's advisory emphasized that two are particularly serious; like BlueKeep, they could be used to code an automated worm that jumps from machine to machine, potentially infecting millions of computers."

> "Unlike BlueKeep, however, the new bugs—half-jokingly named DejaBlue by security researchers tracking it—don't merely affect Windows 7 and earlier, as the earlier RDP vulnerability did. Instead, it affects Windows 7 and beyond, including all recent versions of the operating system."

Thinking of this in context to Win7 EOL approaching:

I imagine the type of people who have RDP publicly exposed are the same type of people who will not be upgrading from Win7 anytime soon.

I suspect we will see many exploits of this to come.

Microsoft really ought to develop their own worm, and use it to patch the flaw.

They can release it on the same day as the regular updates, and scan the whole IPv4 address space every hour.

That way, the pool of unpatched machines will be so tiny it isn't worth evil people trying to exploit it.

Its the same threat vector as BlueKeep, so I would imagine the prime exploitation window for Win7 (which was/is vulnerable to both) has already passed.

A quick Shodan query already does what you're thinking.

Wouldn't that be illegal? I hope so.

Only if you have Remote Desktop Connection (RDS) enabled and exposed to the open internet. Which you shouldn't.

To quote the CVE:

> Disable Remote Desktop Services if they are not required.


> Block TCP port 3389 at the enterprise perimeter firewall

If you're using a VPN or RD Gateway which have been best practice for tens of years, you're already insulated. I'd still patch but outside of business hours.

Almost every Windows computer in the fortune 500 company I work for has RDP enabled and if it wasn't production would grind to a halt.

To make matters worse I can't even run Windows updates on my laptop because the IT department has blocked it. I can only run updates at home.

Are they exposed to the internet or do you have to connect to a VPN first?

Oh yeah there are all kinds of firewalls, but you know there is always a hole somewhere. (Officially they've contracted with Amazon Workspaces to provide remote access which actually works pretty good, albeit slow.)

I know people do that, what with cloud based VMs and all, but still... I don't get it.

It should be noted that AWS and other Cloud providers let you set up Security Groups containing specific IP addresses or ranges (i.e. just whitelist your static IP for SSH/RDS access).

It isn't as secure as a VPN (and not as convenient), but definitely a stop-gap if you don't want to pay for Client VPN.

It’s usually to run some old, proprietary software that only has a Windows version.

"Old, proprietary software" describes something like 80% of all the software keeping the modern world going.

Some of it is new software. South Korean love of ActiveX for example, a technology dead for at least 10 years. Still getting new stuff written.

On the contrary, most critical software is plenty new - things like MS Office. Still bound to Windows.

The remaining systems rely on truly custom software and should be either airgapped (so no RDP) or rewritten. I'm thinking industrial - they should've planned for this many years beforehand. There were instances back when Windows XP was the main driver.

Why has RDP been so vulnerable to exploits for so long? It seems Microsoft should require credentials sent before processing any complex graphics rendering stuff, yet even to this day, it is possible to view a remote logon screen, get remote audio, etc. all unauthenticated!

While internet facing servers may be the most common attack vector you assume the vulnerability couldn't come from inside the network.

If they're attacking you from an internal vector they likely already have code execution within that internal context, making this bug largely redundant. The more common case is gaining entry to a poorly secured edge or cloud server, rather than a bad actor sitting on your LAN.

But sure, I suppose, that niche edge case (local context without local code execution) could hypothetically exist somewhere, but patching this won't make you secure.

The internal remote hole can be thought of as a force multiplier. An attacker that bypasses the edge in any way gets every machine in your network. It takes any other remote bug or anyone getting to any badness on the Internet. And then if your domain controller is owned, it's everything...

A simple virus could even do it. It takes only one instance for this bug to completely take over your network if you're Windows based. Remember Windows XP time? That's how it is.

Unless you completely cut off internal network everywhere. Good luck with that policy.

You wouldn't even know you have been owned completely and expect only a router issue if the breach is from there. Or not even spot anything out of ordinary.

About the only real way is to presume internal network is compromised and keep diversity and backups to reduce impact. Compartmentalize, do not centralize, no matter how much money you'd save that way. If a man has to go to fix an issue instead of remote login, so be it.

It's not a niche edge case, there is an entire industry that revolves around securing BYOD devices. If I bring a compromised device on your network and it uses some rdp flaw to access another machine it's gotten a foothold in the network where it could spread further. I don't need code execution from an existing internal resource.

And yes, security is a layered approach. That's why we recognize that the internet isn't the only threat vector out there.

Edit: Why wouldn't you patch internal servers for this anyway? Let's say there is an existing threat with code execution like you say. Now he can trivially access all machines on the network because they share a common vulnerability. At least make him work for it.

> If I bring a compromised device on your network

Then I'm in real trouble with or without this. A compromised device can sniff the network, masquerade, inject network traffic (inc. DNS), and can attack every other device on that same segment.

> I don't need code execution from an existing internal resource.

If you cannot execute code in an internal context then you cannot exploit this bug, you'd effectively be an external attacker. Your own example had you running code on a locally connected "BYOD" device. Therefore you're already executing code in that context.

> Why wouldn't you patch internal servers for this anyway?

Nobody suggested that. In fact quite to the contrary.

By the way while we're discussing niche edge cases, what's your strategy to protect against Van Eck phreaking? Seems about as concrete as the attack vector you're proposing (local network access with no way to execute code).

Okay I think I've either poorly communicated or you've misconstrued what I meant. All I was trying to imply was that threats can surface within the network. I'm not saying some magic will take advantage of the exploit with no connection to the target's network. You said

"If they're attacking you from an internal vector they likely already have code execution within that internal context, making this bug largely redundant."

I was disagreeing that this is redundant. This vulnerability is a remote code exploit that could give an attacker control over the target just by sending a specially crafted packet. It is not some Apache misconfiguration affecting a couple servers, it's baked into all versions of Windows.

I had a feeling something like that was lurking which is why the roll-up was visible but not distributed yet by Windows Update.

They were testing it for corporate users...

Anyone know if the latest insider ring builds are affected, or what the minimum build number is to have the fix? I'm currently on build 18956 at home...


I would guess the amount of people who care enough, and are able to successfully disable all Telemetry, and prevent it from being re-enabled is so small that Microsoft doesn't care.

I would also be willing to bet that the majority of people who have it "disabled" are still sending back plenty of Telemetry. If you really care, your best option is to just not use Windows.

Most sensible answer.

They have lost my confidence as well after breaking* a Windows 7 machine I was using as an ad hoc server with updates that ammounted to little more than telemetry without announcing themselves as such.

* Set off a crash loop in connection with my setup that had been pretty conservatively setup. It was fixable, but a nonsense problem to deal with.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact