Microsoft information about a vulnerability related to Remote Desktop Protocol (RDP) may have leaked in the form of proof-of-concept code in the wild.
Microsoft is
asking customers to deploy a patch for a "critical" bulletin from last weeks
Patch Tuesday, after the public appearance of proof-of-concept code that
apparently targets the vulnerability.
That critical
bulletin, MS12-020 (Windows) addresses an issue in Remote Desktop Protocol
(RDP). While Microsoft insisted in a March 13 posting on the
Microsoft
Security Response Center blog that we know of no active exploitation
in the wild, it also advised that customers examine and prepare to apply this
bulletin as soon as possible. As it stands, the vulnerability allows an
attacker to achieve remote code execution; Microsoft is offering a one-click,
no-reboot Fix It that enables Network-Level Authentication, an effective
mitigation for this issue.
While the
public proof-of-concept code results in denial of service for the RDP issue
related to MS12-020, Microsoft claims to be unaware of proof-of-concept code
that actually results in remote code execution. Moreover, information about the
vulnerability may have been leaked.
The details
of the proof-of-concept code appear to match the vulnerability information
shared with Microsoft Active Protections Program (MAPP) Partners, Ynsun Wee,
director of Trustworthy Computing, wrote in a March 16
corporate blog posting, three days after Patch
Tuesday. Microsoft is actively investigating the disclosure of these details
and will take the necessary actions to protect customers and ensure that
confidential information we share is protected.
Outside
analysts have likewise urged everyone concerned to patch the RDP vulnerability.
Last fall, we
saw the RDP worm Morto attacking publicly exposed Remote Desktop services
across businesses of all sizes with brute-force password guessing, Kurt
Baumgartner, senior security researcher for Kaspersky Lab, wrote in a March 13
posting on
Securelist, The Morto worm incident brought
attention to poorly secured RDP services. Accordingly, this Remote Desktop
vulnerability must be patched immediately.
Unfortunately,
he added, most companies fail to sufficiently secure their RDP services. It
seems to me that every time a small and medium-sized organization runs a
network, the employees or members expect remote access, he wrote. In turn,
this Remote Desktop service is frequently exposed to public networks with lazy,
no-VPN or restricted communications at these sized organizations.
Others agreed
with that assessment. This patch should be your highest priority if you use
RDP, wrote Paul Henry, security and forensic analyst at Lumension, in
reference to MS12-020.
Follow Nicholas Kolakowski on Twitter
Email
Print
