Microsoft is asking customers to deploy a patch for a “critical” bulletin from last weeks Patch Tuesday, after the public appearance of proof-of-concept code that apparently targets the vulnerability.
That critical bulletin, MS12-020 (Windows) addresses an issue in Remote Desktop Protocol (RDP). While Microsoft insisted in a March 13 posting on the Microsoft Security Response Center blog that we know of no active exploitation in the wild, it also advised that customers examine and prepare to apply this bulletin as soon as possible. As it stands, the vulnerability allows an attacker to achieve remote code execution; Microsoft is offering a one-click, no-reboot Fix It that enables Network-Level Authentication, an effective mitigation for this issue.
While the public proof-of-concept code results in denial of service for the RDP issue related to MS12-020, Microsoft claims to be unaware of proof-of-concept code that actually results in remote code execution. Moreover, information about the vulnerability may have been leaked.
The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) Partners, Ynsun Wee, director of Trustworthy Computing, wrote in a March 16 corporate blog posting, three days after Patch Tuesday. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected.
Outside analysts have likewise urged everyone concerned to patch the RDP vulnerability.
Last fall, we saw the RDP worm Morto attacking publicly exposed Remote Desktop services across businesses of all sizes with brute-force password guessing, Kurt Baumgartner, senior security researcher for Kaspersky Lab, wrote in a March 13 posting on Securelist, The Morto worm incident brought attention to poorly secured RDP services. Accordingly, this Remote Desktop vulnerability must be patched immediately.
Unfortunately, he added, most companies fail to sufficiently secure their RDP services. It seems to me that every time a small and medium-sized organization runs a network, the employees or members expect remote access, he wrote. In turn, this Remote Desktop service is frequently exposed to public networks with lazy, no-VPN or restricted communications at these sized organizations.
Others agreed with that assessment. This patch should be your highest priority if you use RDP, wrote Paul Henry, security and forensic analyst at Lumension, in reference to MS12-020.