Information Security in Today's Digital Culture

Remote Desktop Vulnerability (MS12-020) Is the Worst of the Worst

March 14th, 2012 | Posted by Brett Edgar in Advisories | Microsoft | Security | Windows

The MS12-020 vulnerability for which Microsoft released a patch yesterday is about as bad as you can get. The vulnerability requires *no* authentication, can be exploited from *any network* that has connectivity to a Remote Desktop Protocol (RDP) service, and gives an attacker a full GUI at the super-user level (the SYSTEM account on Windows). Game. Over.

Those who haven’t patched yet fall into one of three categories: those who are crazy, those who enjoy getting hacked, or those who are blissfully unaware of this vulnerability and its implications. For those in the last category, you won’t be blissfully unaware for long. Microsoft’s Security Research Team expects a working exploit to be published as soon as seven days from now, and likely within one month. If you have more than a handful of servers to patch, you better get started patching NOW!

The Sourcefire VRT already has signatures in place to detect attempts to exploit this vulnerability, and since True gets the VRT feed updates at least daily, True Digital Security’s Network Security Monitoring customers will be alerted if an attack happens. However, an IDS can’t prevent the attack, only warn that it has likely happened. Consequently, TRUE is recommending that all of our clients apply the MS12-020 patch immediately.

Further recommendation: If you have RDP open to the Internet, now is the perfect time to close that firewall hole and require VPN access as your single entry-point to the internal network from the Internet.

True’s Red Team expects Metasploit to have an exploit for this within a month. They also did a little happy dance when they realized that (unfortunately) they will be using this vulnerability for years to come to gain access during penetration tests.

Brett Edgar

Brett Edgar

Brett is a Founder and the former Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

More Posts - Twitter

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

3 Responses

Leave a Reply