With more hints dropped online on how to exploit BlueKeep, you've patched that Windows RDP flaw, right? Vital clues on how to exploit the notorious Windows RDP bug, aka CVE-2019-0708 aka BlueKeep, and hijack vulnerable boxes, emerged online this week. The growing number of hints can be used by folks to develop working code that attacks Microsoft's Remote Desktop Services software, on Windows XP through to Server 2008, and gains …
You're right, but someone sysadmins aren't given a choice about if and when they're allowed to patch.
Mind you, some of the systems that I wasn't allowed to 'alter in any way' would suffer unavoidable reboots occasionally, and when they rebooted strangely they'd be patched. Must have been an error in the UPS or something, certainly wasn't me logging on out-of-hours and hitting that "Update and Reboot" button, oh no.
Isn't that the whole reason for the mess that is the MS RDP gateway along with all the other cruft and crap certificate management that goes along with it.
They say it works but it really needs a non MS VPN and Firewall to secure it if you have any hope of avoiding these issues even in the latest versions of MS Server OS's.
<some-time incident response person at a large bank here>
Yes, there's still a fair bit of XP embedded in ATMs (and till sand other point-of-sale technology), but they're not barking mad enough to hang them out on the public internet. They may in some circumstances be accessible from a disconcertingly large fraction of the desktop estate, due to an network architecture that has a bit too much of the "big and flat" going on and not enough "internal segregation, min privs", admittedly...
Everyone's worked at companies too big, too slow, too disjointed, too 'dinosaur' to do things correctly, like not still running public facing systems on ancient platforms, even though yes everyone knows they shouldn't be...
Except the smart-Alecs commenting from their high horses I suppose.
I left a company over 2 years ago, having been running the XP/2003 decommissioning project for 4 years prior to leaving.
I caught up with a couple of the guys I left behind and they are still no further forward in getting the last 2003 boxes off the network, I had of course dealt with the low hanging fruit but the last few boxes were 'core' and running proprietary application software that won't run on anything newer. The company that provided the software wanted £100K just to *asses* updating it to something newer, the cost of making it work would have been extra.
They've lost the contract to do the replacement application of course, but that's still years away and in the meantime they're collecting their monthly support fees and not having to do a bit of work for it.
Considering that Microsoft has only promised to support Windows 7/2008 security updates for another six months means any company that doesn't already have a plan to move is going to be SOL (Sorely Out of the Loop) anyway.
It's way too late to be using the too big/slow/cheap excuse at any level. I'm mean, basically, they're lucky this didn't hit in six months, because then where would they even get a patch from?
See icon...
When are people going to learn that going the "cheap" route with proprietary, binary-only, complex COTS software just turns into "expensive nightmare" in a decade? Unless of course you're on mainframe or similar, but that's not what I would call "cheap" at all -- you definitely pay for that level of backwards compatibility over time.
Oh right, by the time the brown stuff hits the rotary impeller you're been promoted and are enjoying your fat paycheck while downsizing the people responsible for maintaining your legacy swamp. Silly me!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
