back to article Despite Windows BlueKeep exploitation freak-out, no one stepped on the gas with patching, say experts

The flurry of alerts in recent weeks of in-the-wild exploitation of the Windows RDP BlueKeep security flaw did little to change the rate at which people patched their machines, it seems. This is according to eggheads at the SANS Institute, who have been tracking the rate of patching for the high-profile vulnerability over the …

  1. big_D Silver badge

    I would assume security conscious admins have already patched. We patched straight away.

    But, if you are exposing RDP directly to the Internet, you probably don't have all of your admin marbles together anyway.

    At a previous company, the CEO claimed that putting RDP directly on the Internet was safe, because he didn't use the standard port! It took a bit of arm twisting to get him to use a VPN in front of the RDP service - mainly because he only had a thin-client at home.

    At every other company I have worked at, RDP was behind at least a VPN with 2 factor authentication.

    1. Pascal Monett Silver badge

      As usual it's the effin' CEO himself that is the problem.

      IT truly is a domain where a little knowledge is worse than no knowledge at all.

    2. Anonymous Coward
      Anonymous Coward

      If RDP is open to the Internet, these is probably no patching policy and limited isolation for the boxes, so the report isn't a surprise. Until the boxes are compromised or services affected, they are likely to remain vulnerable.

    3. Halfmad Silver badge

      I think you've nailed it to be honest. If you have your patching organised already this alert won't really have made any real impact as those patches would have been applied or be applied short anyway. If you don't though, nothing short of a breach is likely to make you take notice at this point. We've been bombarded with "patch now!" alerts over recent years, if it's not sorted by now, it never will be.

      1. big_D Silver badge

        I was just listening to Security Now, there was a new BlueKeep exploit last week and it crashed many of the exposed servers - turns out that the malware was using a hook for the Meltdown mitigation and the servers that were crashing didn't have the Meltdown mitigation from Microsoft installed. If patches from nearly 2 years ago haven't been installed, I doubt that this one will be either!

    4. TonyJ Silver badge

      Agreed. And given that Windows has had an RD gateway built in since 2008 R2 (maybe even in 2008?) in a fairly simple manner (wizard driven and all) which offers a second layer of authentication and protection, there really is no excuse for exposing RDP to the world other than stupidness and laziness.

      But... according to MS themselves they were seeing over 400,000 RDP endpoints connected without even enabling NLA. (https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/)

      So laziness and stupidness, but doubled-down!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019