Microsoft Critical Vulnerability Info May Have Leaked

By Nicholas Kolakowski  |  Posted 2012-03-19 Print this article Print

Microsoft information about a vulnerability related to Remote Desktop Protocol (RDP) may have leaked in the form of proof-of-concept code in the wild.

Microsoft is asking customers to deploy a patch for a "critical" bulletin from last week€™s Patch Tuesday, after the public appearance of proof-of-concept code that apparently targets the vulnerability.

That critical bulletin, MS12-020 (Windows) addresses an issue in Remote Desktop Protocol (RDP). While Microsoft insisted in a March 13 posting on the Microsoft Security Response Center blog that €œwe know of no active exploitation in the wild,€ it also advised that €œcustomers examine and prepare to apply this bulletin as soon as possible.€ As it stands, the vulnerability allows an attacker to achieve remote code execution; Microsoft is offering a one-click, no-reboot Fix It €œthat enables Network-Level Authentication, an effective mitigation for this issue.€

While the public proof-of-concept code results in denial of service for the RDP issue related to MS12-020, Microsoft claims to be unaware of proof-of-concept code that actually results in remote code execution. Moreover, information about the vulnerability may have been leaked.

€œThe details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) Partners,€ Ynsun Wee, director of Trustworthy Computing, wrote in a March 16 corporate blog posting, three days after Patch Tuesday. €œMicrosoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected.€

Outside analysts have likewise urged everyone concerned to patch the RDP vulnerability.

€œLast fall, we saw the RDP worm Morto attacking publicly exposed Remote Desktop services across businesses of all sizes with brute-force password guessing,€ Kurt Baumgartner, senior security researcher for Kaspersky Lab, wrote in a March 13 posting on Securelist, €œThe Morto worm incident brought attention to poorly secured RDP services. Accordingly, this Remote Desktop vulnerability must be patched immediately.€

Unfortunately, he added, most companies fail to sufficiently secure their RDP services. €œIt seems to me that every time a small and medium-sized organization runs a network, the employees or members expect remote access,€ he wrote. €œIn turn, this Remote Desktop service is frequently exposed to public networks with lazy, no-VPN or restricted communications at these sized organizations.€

Others agreed with that assessment. €œThis patch should be your highest priority if you use RDP,€ wrote Paul Henry, security and forensic analyst at Lumension, in reference to MS12-020.

Follow Nicholas Kolakowski on Twitter 



Nicholas Kolakowski is a staff editor at eWEEK, covering Microsoft and other companies in the enterprise space, as well as evolving technology such as tablet PCs. His work has appeared in The Washington Post, Playboy, WebMD, AARP the Magazine, AutoWeek, Washington City Paper, Trader Monthly, and Private Air. He lives in Brooklyn, New York.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel