Tuesday, March 13, 2012


It’s been some time since I wrote anything related to specific vulnerabilities, but MS12-020 is a quite interesting one. It allows remote unauthenticated exploitation of the RDP server on Windows.


Let’s keep in mind that since Windows 2000 we’ve been pushing organizations to migrate from stuff like Dameware, VNC and PCAnywhere to Terminal Services, as it is a native service with decent authentication and encryption. Due to remote access and support requirements there are lots of firewalls out there with a hole for TCP3389, leaving a lot of servers exposed to the Internet. The list of vulnerable Windows versions also indicates the vulnerability is in a piece of code that has been around for some time, so for those with unsupported Windows 2000 and Windows XP/2003 older Service Packs, keep in mind that you may have a huge hole on your systems without a fix to apply. Time for an upgrade?


We’ll see how bad the exploitation for this will be in the next few weeks; I can see it as big opportunity for worms and botnet developers.


UPDATE: not only this is really becoming great news and rumours of exploits being developed getting stronger, there are some interesting news about the source of the data used in the first PoCs circulating on the web. It seems that PoC code developed/used by Microsoft Security Research Centre is actually the exploit found in a chinese web site. Just imagine what it could mean to all the cyber-war / cyber-espionage thing if we find out that organizations like the MSRC have been compromised and details about 0 days are actively being stolen from them. Creepy.

No comments:

Post a Comment