There’s been a lot of discussion about BlueKeep, its ramifications and various strategies for blocking it. In a nutshell, it’s a security hole in the Windows Remote Desktop Protocol that allows a malicious program to enter your machine – if you have Remote Dekstop turned on, it’s accessible directly from the internet, and you haven’t installed the May patches.
Two weeks ago, Susan Bradley posted a CSO article that details ways admins can avoid using RDP. I’ve seen reams of advice about blocking ports, disabling services, setting authentication levels, deploying voodoo dolls, reading chicken entrails…, but the simplest way for almost everybody to avoid the problem is to install the May (or later) Windows patches.
Earlier today, Kevin Beaumont – who I consider to be a world-class authority on the subject – posted this warning:
The first public, free #BlueKeep exploit is out in Metasploit now.
He, in turn, points to this article by Brent Cook on the Rapid7 site:
By default, Metasploit’s BlueKeep exploit only identifies the target operating system version and whether the target is likely to be vulnerable. The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation. If the module is interrupted during exploitation, or if the incorrect target is specified, the target will crash with a bluescreen. Users should also note that some elements of the exploit require knowledge of how Windows kernel memory is laid out, which varies depending on both OS version and the underlying host platform (virtual or physical); the user currently needs to specify this correctly to run the exploit successfully. Server versions of Windows also require a non-default configuration for successful exploitation—namely, changing a registry setting to enable audio sharing. This limitation may be removed in the future.
So the next worm isn’t yet a massive threat – but you can bet that it will be. Soon.
Get the May (or later) Windows patches applied. Now.
More on AskWoody.