Episode 405

Update Uncertainty


June 11th, 2019

30 mins 47 secs

Your Hosts

About this Episode

We explore the risky world of exposed RDP, from the brute force GoldBrute botnet to the dangerously worm-able BlueKeep vulnerability.

Plus the importance of automatic updates, and Jim's new backup box.

Episode Links

  • Errata Security: Almost One Million Vulnerable to BlueKeep Vuln (CVE-2019-0708) — Microsoft announced a vulnerability in it's "Remote Desktop" product that can lead to robust, wormable exploits. I scanned the Internet to assess the danger. I find nearly 1-million devices on the public Internet that are vulnerable to the bug.
  • Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708) | ZDNet — "[The] NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.
  • Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) – MSRC — This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017
  • BlueKeep - everyone agrees, you should patch PCs running legacy versions of Windows — I have this horrible feeling that the only way we’re going to wake the world up to the need to patch their ageing versions of Windows against the BlueKeep vulnerability is to wait until a malicious worm begins to spread around the world.
  • CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability — A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability — Microsoft is aware that some customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received any security updates to protect their systems from CVE-2019-0708, which is a critical remote code execution vulnerability.
  • Forget BlueKeep: Beware the GoldBrute | Threatpost — In the past few days, GoldBrute (named after the Java class it uses) has attempted to brute-force Remote Desktop Protocol (RDP) connections for 1.5 million Windows systems and counting, according to Morphus Labs chief research officer Renato Marinho. The botnet is actively scanning the internet for machines with RDP exposed, and trying out weak or reused passwords to see if it can gain access to the systems.
  • The GoldBrute botnet — The latest round of bad news emerged last week when Morphus Labs’ researcher Renato Marinho announced the discovery of an aggressive brute force campaign against 1.5 million RDP servers by a botnet called ‘GoldBrute’.
  • Ubuntu Automatic Updates — The unattended-upgrades package can be used to automatically install updated packages, and can be configured to update all packages or just install security updates.
  • AutoUpdates - Fedora Project Wiki — You must decide whether to use automatic DNF or YUM updates on each of your machines.
  • It's time to block Windows Automatic Updating | Computerworld — Those of you who feel it’s important to install Windows and Office patches the moment they come out – I salute you. The Windows world needs more cannon fodder.
  • Windows 10's Ugly Updates Just Got Uglier. Here's How To Stay Safe by Disabling Automatic Updates — Stay safe by disabling automatic updates? How is that possible? As a general rule of thumb, I’d never recommend disabling updates because security patches are essential. But the situation with Windows 10 has become intolerable. Microsoft continues to fail and continues to release update after update that they know, or should know, has serious problems.
  • Jim's New Rig — I build, sell, and manage much bigger and meaner systems than this all the time. But this one's MINE! 12 hot swap bays, Ryzen 7 2700 w/ ECC RAM, quiet enough to share an office with, and the trays can take either HDD or SSD with no adapter needed.