Microsoft Critical Vulnerability Info May Have Leaked

Microsoft information about a vulnerability related to Remote Desktop Protocol (RDP) may have leaked in the form of proof-of-concept code in the wild.

Microsoft is asking customers to deploy a patch for a "critical" bulletin from last week€™s Patch Tuesday, after the public appearance of proof-of-concept code that apparently targets the vulnerability.

That critical bulletin, MS12-020 (Windows) addresses an issue in Remote Desktop Protocol (RDP). While Microsoft insisted in a March 13 posting on the Microsoft Security Response Center blog that €œwe know of no active exploitation in the wild,€ it also advised that €œcustomers examine and prepare to apply this bulletin as soon as possible.€ As it stands, the vulnerability allows an attacker to achieve remote code execution; Microsoft is offering a one-click, no-reboot Fix It €œthat enables Network-Level Authentication, an effective mitigation for this issue.€

While the public proof-of-concept code results in denial of service for the RDP issue related to MS12-020, Microsoft claims to be unaware of proof-of-concept code that actually results in remote code execution. Moreover, information about the vulnerability may have been leaked.

€œThe details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) Partners,€ Ynsun Wee, director of Trustworthy Computing, wrote in a March 16 corporate blog posting, three days after Patch Tuesday. €œMicrosoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected.€

Outside analysts have likewise urged everyone concerned to patch the RDP vulnerability.

€œLast fall, we saw the RDP worm Morto attacking publicly exposed Remote Desktop services across businesses of all sizes with brute-force password guessing,€ Kurt Baumgartner, senior security researcher for Kaspersky Lab, wrote in a March 13 posting on Securelist, €œThe Morto worm incident brought attention to poorly secured RDP services. Accordingly, this Remote Desktop vulnerability must be patched immediately.€

Unfortunately, he added, most companies fail to sufficiently secure their RDP services. €œIt seems to me that every time a small and medium-sized organization runs a network, the employees or members expect remote access,€ he wrote. €œIn turn, this Remote Desktop service is frequently exposed to public networks with lazy, no-VPN or restricted communications at these sized organizations.€

Others agreed with that assessment. €œThis patch should be your highest priority if you use RDP,€ wrote Paul Henry, security and forensic analyst at Lumension, in reference to MS12-020.

Follow Nicholas Kolakowski on Twitter