Wednesday, March 28, 2012

Windows Updates for March include critical fix for RDP

The Windows Update round for March, 2012, included one patch, MS12-020, "Vulnerabilities in Remote Desktop Could Allow Remote Code Execution", which has the security blogosphere buzzing. It is probably critical only for corporate environments where Remote Desktop is enabled and exposed to the open Internet. Home Users don't routinely have RDP enabled and if they do, they have to expose it manually through their routers, a technical step most won't understand.

That said, if this affects you, please read on.  [EDIT] NOTE THAT EXPLOIT CODE HAS BEEN DEVELOPED -- see last few links for more.

ISC Diary | March 2012 Microsoft Black Tuesday

Overview of the March 2012 Microsoft patches and their status.

Microsoft warns: Expect exploits for critical Windows worm hole | ZDNet

Attention Microsoft Windows administrators: Stop what you’re doing and apply the new — and very critical — MS12-020 update.

Microsoft is warning that there’s a remote, pre-authentication, network-accessible code execution vulnerability in its implementation of the RDP protocol.
RDP Flaws Lead Microsoft’s March Patch Batch — Krebs on Security
Microsoft today released updates to sew up at least seven vulnerabilities in Windows and other software. The sole “critical” update in the bunch patches a particularly dangerous flaw in all supported versions of Windows that allows attackers to seize control over vulnerable systems remotely without authentication.

The critical update plugs two security holes in Microsoft’s Remote Desktop Protocol (RDP), a service that is designed to let administrators access Windows systems remotely over a network. The saving grace for these vulnerabilities — which are present in Windows XP, Vista and 7, and Windows Server 2003, and 2008 — is that RDP not enabled by default on standard Windows installations. That means it is far more likely to be a threat to businesses than to consumer systems.
ISC Diary | Why We Rated the MS12-020 Issue with RDP "Patch Now"

Microsoft's March 2012 "Black Tuesday" announcement included the MS12-020 patch, which fixes a vulnerability in Microsoft's implementation of RDP. This vulnerability (CVE-2012-0002) could allow a remote unauthenticated attacker to execute arbitrary code on the affected system. Microsoft labeled this issue "Critical" and we assigned it our highest severity label "Patch Now" for servers. Here's why:

  • The CVE-2012-0002 vulnerability applies to most flavors of Microsoft Windows.
  • It can be exploited over the network.
  • Companies often make RDP accessible on the standard TCP port 3389 from the Internet for remote access to servers and sometimes workstations.
These factors make it very attractive for attackers to attempt reverse-engineering Microsoft's MS12-020 patch to, understand the details of the bug and craft an exploit. This will likely happen sooner than 30 days. The universal applicability of the exploit and its targetability over the Internet and internal networks might motivate the creation auto-propagating worms to capture systems quickly and efficiently.
Exploit code published for RDP worm hole; Does Microsoft have a leak? | ZDNet

Chinese hackers have released proof-of-concept code that provides a roadmap to exploit a dangerous RDP (remote desktop protocol) vulnerability that was patched by Microsoft earlier this week.

The publication of the code on a Chinese language forum heightens the urgency to apply Microsoft’s MS12-020 update, which addresses a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol.

It also sets of alarm bells in the corridors at Redmond because there are clear signs that Microsoft’s pre-patch vulnerability sharing program has been breached or has suffered a major leak.
Microsoft confirms MAPP proof-of-concept exploit code leak | ZDNet
An embarrassing leak within the Microsoft Active Protections Program (MAPP) has led to the publication of proof-of-concept code for a serious security hole in all versions of Windows, Microsoft confirmed late Friday.
RDP Flaw Found – Get Patched Now | Remote Administration For Windows

1 comment:

Lid-Am said...

thanks for the sharing.

anyway, i did disable my windows update to prevent it from rebooting right after the update process has done.