Penetration Testing Toolkit Includes Exploit For 'Incredibly Dangerous' Bluekeep Vulnerability (vice.com) 67
An anonymous reader quotes Vice:
In May, Microsoft released a patch for a bug in several versions of Windows that is so bad that the company felt it even had to release a fix for Windows XP, an operating system that (has been unsupported) for five years. That vulnerability is known as BlueKeep, and it has kept a lot of security researchers up at night. They are worried that someone could write an exploit for it and make a worm that could wreak havoc the way WannaCry or NotPetya -- two viruses that spread almost uncontrollably all over the world locking thousands of computers -- did.... Researchers were so worried about this vulnerability that for months, no one has published the code for a proof-of-concept exploit. In other words, no one wanted to be the guy to even prove that this type of malware was even possible to write.
Until now.
On Tuesday, Immunity, a long time US government contractor, announced that it had developed an exploit for BlueKeep and included it into its penetration testing toolkit Canvas, which is available only to paying subscribers. Canvas customers, can now exploit this bug using Immunity's own code.
ZDNet notes that Canvas licenses "cost between thousands and tens of thousands of US dollars," but also adds that "hackers have been known to pirate or legitimately buy penetration testing tools."
Until now.
On Tuesday, Immunity, a long time US government contractor, announced that it had developed an exploit for BlueKeep and included it into its penetration testing toolkit Canvas, which is available only to paying subscribers. Canvas customers, can now exploit this bug using Immunity's own code.
ZDNet notes that Canvas licenses "cost between thousands and tens of thousands of US dollars," but also adds that "hackers have been known to pirate or legitimately buy penetration testing tools."
Re: (Score:2)
What sort of evidence do you need? He invented those facts just minutes ago, they're hot off his imagination.
Just as a counterpoint, I'm running a > 10-year-old 1000kVA APC UPS that's still going fine despite never having APC batteries in it past the first lot. And all have lasted over five years, despite the advice to swap them every 2-3 years.
Re: Not news (Score:1)
blind (Score:2)
"That vulnerability is known as BlueKeep, and it has kept a lot of security researchers up at night"
If security vulnerabilities somehow keep you up at night, there's something about Windows you should never find out.....
What about us? (Score:2)
"In May, Microsoft released a patch for a bug in several versions of Windows that is so bad that the company felt it even had to release a fix for Windows XP"
What about us Linux users, how do we get in on the fun?
Honestly, I feel kind of snubbed that my system isn't vulnerable to these ancient bugs and flaws.
Re: (Score:3, Funny)
Thinking Linux does have any security vulnerabilities is a bit of naÃveté.
Almost as naive as thinking Slashdot supports Unicode.
Re: What about us? (Score:1)
Re: (Score:2)
Thinking Linux does have any security vulnerabilities is a bit of naÃveté.
Thinking that I said any such thing is stupid.
Re: (Score:2)
Thinking Linux does have any security vulnerabilities is a bit of naÃfvetÃf©.
Ugh, I had an outbreak of naÃfvetÃf© on my abdomen once, luckily my doc prescribed a course of antibiotics and it cleared up again within a few days. I've heard of people getting naÃfvetÃf© in more sensitive areas where it takes a lot longer to get rid of it...
Re: (Score:2)
yawn
Re: (Score:2)
You could always start a new hobby searching for a Windows bug that also exists in WINE.
Good luck!
Re: (Score:2)
Honestly, I feel kind of snubbed that my system isn't vulnerable to these ancient bugs and flaws.
Spectre/meltdown ought to be fun enough for you :) But to be fair that impacts all OSs
But Windows seems to get all the good ones.
Windows XP, Vista, 7 vulnerable - not Win 8, 10 (Score:5, Informative)
It's not completely clear from the summary, but inside the article we find out that Windows 8 and Windows 10 are NOT vulnerable. Windows XP -> Windows 7 (along with equivalent Server variations) are vulnerable, and must be patched.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Windows 7 is not past end of life, which occurs Jan 2020. And a LOT of machines are still running it. The latest Steam hardware survey shows it at a bit over 20%, although it's dropping off fairly rapidly at this point. I'd bet it's still used in a lot of businesses as well.
MS will probably still patch critical OS vulnerabilities like this one for the next decade, though, like they've done for XP.
Re: (Score:2)
Windows 7 is most definitely out of support. Mainstream support ended in 2015. current support is the very expensive paid for extended support so for 99.9% of people it is most definitely past end of life.
You're confusing the definitions of mainstream vs extended support. The OS was still actively developed during mainstream support. Then, after 2015, it was in "extended support", during which they only applied bug fixes / security updates. 100% of Windows 7 machines are still supported until the Jan 2020 date.
What you're thinking of is Extended Security Updates (ESU), which Microsoft charges a per-machine license to keep updated. This will begin starting Jan 2020.
https://support.microsoft.com/... [microsoft.com]
Re: (Score:2)
Itâ(TM)s also on github (Score:5, Informative)
'Incredibly Dangerous' Bluekeep Vulnerability (Score:2)
Assuming you actually have RDP enabled.
Re: (Score:2)
Assuming you actually have RDP enabled.
Windows 7 seems to come with RDP enabled by default, which is even more concerning than the bug in the service.