Tuesday, March 13, 2012


It’s been some time since I wrote anything related to specific vulnerabilities, but MS12-020 is a quite interesting one. It allows remote unauthenticated exploitation of the RDP server on Windows.


Let’s keep in mind that since Windows 2000 we’ve been pushing organizations to migrate from stuff like Dameware, VNC and PCAnywhere to Terminal Services, as it is a native service with decent authentication and encryption. Due to remote access and support requirements there are lots of firewalls out there with a hole for TCP3389, leaving a lot of servers exposed to the Internet. The list of vulnerable Windows versions also indicates the vulnerability is in a piece of code that has been around for some time, so for those with unsupported Windows 2000 and Windows XP/2003 older Service Packs, keep in mind that you may have a huge hole on your systems without a fix to apply. Time for an upgrade?


We’ll see how bad the exploitation for this will be in the next few weeks; I can see it as big opportunity for worms and botnet developers.


UPDATE: not only this is really becoming great news and rumours of exploits being developed getting stronger, there are some interesting news about the source of the data used in the first PoCs circulating on the web. It seems that PoC code developed/used by Microsoft Security Research Centre is actually the exploit found in a chinese web site. Just imagine what it could mean to all the cyber-war / cyber-espionage thing if we find out that organizations like the MSRC have been compromised and details about 0 days are actively being stolen from them. Creepy.

Thursday, March 1, 2012

You don't have to always be the bad guy

So, Zenprise is saying that most of their clients are buying Mobile Device Management (MDM) tools to block stuff such as Angry Birds and Facebook, due to productivity issues, instead of doing real security work.

If you ever had to manage Web content filtering tools you know how it works. Some manager gets mad because he sees an employee browsing his Facebook or Twitter timeline at work and decide that Security has to block those productivity killing nightmares. Security is always blocking stuff, right? Why wouldn’t they block that too?

Because Security is always having a bad time trying to not look like Mordac. Yes, sometimes we have to block stuff due to security risks, but that doesn’t mean we should also be responsible for blocking stuff for other reasons. In order to inject itself in the early phases of business and IT initiatives we are constantly trying to change our image from the guys who are always preventing anything from happening to business enablers. How can we do it if we keep wearing all those control freak hats?

Security has to either say no to who is asking to block stuff not related to security threats or demand that those actions are clearly defined as policies from other groups, such as HR. Even if the tools used for those controls are the same being used for security reasons and operated by the Security team, the reasons for blocking stuff unrelated to security should be clearly stated and the processes to request exceptions or changes to the policy should be detached from those used for security stuff. Even the risk assessment of those requests is different, so why would we do it the same way (and by the same people)?

Maybe those draconian policies are being used to justify money spent on all those shiny tools, some classical security theater. If users are seeing that huge STOP! sign every time they try to access a website they will certainly think the network is really secure, right? J