Well, that didn’t take long. As of Thursday, an MS12-020 PoC (the Remote Desktop Protocol vulnerability) is in the wild. Looks like one of Microsoft’s MAPP partners leaked some test code. This PoC code only causes a Blue-Screen-of-Death, so the damage is limited to a denial-of-service. It won’t be long until the bad guys figure out which values they need to modify to achieve remote code execution. When that happens and you still have RDP open to the Internet and unpatched, you lose. I suspect we’ll see a worm exploiting this within a week. This could end up being a SQL Slammer-type event…
The MS12-020 vulnerability for which Microsoft released a patch yesterday is about as bad as you can get. The vulnerability requires *no* authentication, can be exploited from *any network* that has connectivity to a Remote Desktop Protocol (RDP) service, and gives an attacker a full GUI at the super-user level (the SYSTEM account on Windows). Game. Over.
Oracle dropped a bomb today on DBAs everywhere: the January 2012 CPU addresses 79 vulnerabilities! Affected Oracle products range from the 10g and 11g releases of Oracle Database, to WebLogic, VirtualBox, and even MySQL. One of the Oracle Database patches fixes a vulnerability that is remotely exploitable without authentication. In other words, PATCH NOW! (After testing, of course.)Read more
Adobe has released updates for the Acrobat suite of products. The update fixes over two dozen vulnerabilities[adobe.com], at least one of which is being actively exploited. The version number of the fixed Acrobat and Acrobat Reader products are 9.2, 8.1.7, and 7.1.4.
What is more damning than the 29 vulnerabilities fixed is that it appears that many of the vulnerabilities have existed since the Acrobat 7.x and are just now being discovered and/or addressed. I have a suggestion for Adobe: Get your developers some secure coding training. Stop all coding at your company until all your developers have taken one month of secure coding classes.
Another Adobe Acrobat vulnerability is being exploited in the wild. All versions up to and including 9.1.3 are vulnerable. The current exploit targets Acrobat and Acrobat Reader on Windows specifically, but all Acrobat variants (those for Linux and Mac OS X) are vulnerable. Apparently, using DEP (Data Execution Prevention) in Windows may thwart the attack (at the moment). DEP is an optional setting. Here is the Microsoft KB article about DEP, but their server is saying it’s “too busy” at the moment (4:11p). More information from the ISC is here.
Adobe is set to release an update on October 13. Until then, keep on your toes!
TRUE Network Security Monitoring customers: rest easier: if your resources are successfully attacked, we should see the results.