![](\"https:\/\/images.idgesg.net\/images\/article\/2017\/09\/windows_patch_security7-100734736-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Woody Leonhard| Date: Fri, 06 Sep 2019 11:33:00 -0700<\/strong><\/p>\n There\u2019s been a lot of discussion about BlueKeep, its ramifications and various strategies for blocking it. In a nutshell, it\u2019s a security hole in the Windows Remote Desktop Protocol that allows a malicious program to enter your machine \u2013 if you have Remote Dekstop turned on, it\u2019s accessible directly from the internet, and you haven\u2019t installed the May patches.<\/span><\/p>\n Two weeks ago, Susan Bradley posted <\/span>a CSO article<\/span><\/a> that details ways admins can \u00a0avoid using RDP. I\u2019ve seen reams of advice about blocking ports, disabling services, setting authentication levels, deploying voodoo dolls, reading chicken entrails\u2026, but the simplest way for almost everybody to avoid the problem is to <\/span>install the May<\/span><\/a> (or later) Windows patches.<\/span><\/p>\n Earlier today, Kevin Beaumont \u2013 who I consider to be a world-class authority on the subject \u2013 posted <\/span>this warning<\/span><\/a>:<\/span><\/p>\n The first public, free #BlueKeep exploit is out in Metasploit now.<\/span><\/p>\n He, in turn, points to this article by <\/span>Brent Cook on the Rapid7 site<\/span><\/a>:<\/span><\/p>\n By default, Metasploit\u2019s BlueKeep exploit only identifies the target operating system version and whether the target is likely to be vulnerable. The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation. If the module is interrupted during exploitation, or if the incorrect target is specified, the target will crash with a bluescreen. Users should also note that some elements of the exploit require knowledge of how Windows kernel memory is laid out, which varies depending on both OS version and the underlying host platform (virtual or physical); the user currently needs to specify this correctly to run the exploit successfully. Server versions of Windows also require a non-default configuration for successful exploitation\u2014namely, changing a registry setting to enable audio sharing. This limitation may be removed in the future.<\/span><\/p>\n So the next worm isn\u2019t yet a massive threat \u2013 but you can bet that it will be. Soon.<\/span><\/p>\n Get the May (or later) Windows patches applied. Now.<\/span><\/p>\n Thx @NetDef<\/span><\/i><\/p>\n More <\/span><\/i>on AskWoody<\/span><\/i><\/a>.<\/span><\/i><\/p>\n