[Microsoft]Proof-of-Concept Code available for MS12-020

ronjor · Mar 16, 2012

On March 15, we became aware of public proof-of-concept code that results in denial of service for the issue addressed by MS12-020, which we released Tuesday.

We continue to watch the threat landscape and we are not aware of public proof-of-concept code that results in remote code execution.

We recommend customers deploy MS12-020 as soon as possible, as this security update protects against attempts to exploit CVE-2012-0002. Additionally we have offered a one-click Fix It to help mitigate risk for those customers who need time to test the update before deploying it.
Click to expand...

https://blogs.technet.com/b/msrc/ar...e-available-for-ms12-020.aspx?Redirected=true

siljaline · Mar 16, 2012

Thumbs for this, Ron

More on the POC (Proof of Concept), Microsoft offers bounty for RDP exploit.

Dermot7 · Mar 16, 2012

Microsoft has a big, ugly problem on its hands. The company is caught in the middle of what's rapidly become a major controversy centered on the leak of proof-of-concept exploit code for the MS12-020 RDP vulnerability. Many researchers, including the one who first discovered the bug and reported it to Microsoft through the Zero Day Initiative, believe that the software giant has a leak, either within its own walls in Redmond, or somewhere in its MAPP information-sharing program.
Click to expand...

https://threatpost.com/en_us/blogs/...stery-deepens-microsoft-remains-silent-031612

siljaline · Mar 16, 2012

Suspicions aroused as exploit for critical Windows bug is leaked As previously posted, there is a Microsoft Fix-It available - the actual patch release remains to be seen.

More as I know more.

Hungry Man · Mar 16, 2012

This was patched on Tuesday. The Fix-It is for server admins who don't want to deploy a patch without properly testing it.

If you want to read about the leak, go to the source:
http://aluigi.org/adv/ms12-020_leak.txt

siljaline · Mar 17, 2012

Despite the he-said-she-said The threat is real.

Hungry Man said:

This was patched on Tuesday. The Fix-It is for server admins who don't want to deploy a patch without properly testing it.

If you want to read about the leak, go to the source:
http://aluigi.org/adv/ms12-020_leak.txt
Click to expand...

Rmus · Mar 18, 2012

A comment in a recent ISC Diary sums it up nicely:

Why We Rated the MS12-020 Issue with RDP "Patch Now"
http://isc.sans.edu/diary.html?storyid=12781

The big problem for many corporate networks is that this particular exploit is guaranteed to make it into malware exploit payloads. Once a network-internal Windows machine is compromised through the usual methods, scanning for vulnerable RDP servers is extremely easy. This affects not just internet-accessible RDP, but anything visible from the corporate network itself. This will impact networks that require VPN for RDP access, not just naked-RDP networks.
Click to expand...

On the other hand, as another commenter points out, it's a no-threat if the organization has proper perimeter security in place. (My translation: a System Administrator who is doing her/his job)

Of course, with a Patch now released, the above should be moot.

On the other hand #2: Remember Conficker -- that worm appeared on the scene 11 days after the patch for MS08-067 was released, and didn't peak until a few months later.

(Translation offered free of charge: patches don't work unless they are installed.)

----
rich

Newby · Mar 18, 2012

A friend has setup my computer (it is windows 7 pro version). All is in grey?
Does this mean everything is disabled and not vulnarable to the exploit?

ronjor · Mar 18, 2012

Microsoft blames security info-sharing program for attack code leak

By Gregg Keizer, Computerworld
March 18, 2012 07:29 AM ET

Microsoft on Friday confirmed that sample attack code created by the company had likely leaked to hackers from a program it runs with antivirus vendors.

"Details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protection Program (MAPP) partners," Yunsun Wee, a director with Microsoft's Trustworthy Computing group, said in a statement posted on the company's site .

"Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," Wee added.
Click to expand...

https://www.networkworld.com/news/2...mes-security-info-sharing-program-257397.html

ronjor · Mar 18, 2012

not vulnarable to the exploit?
Click to expand...

If you keep your computer updated with Windows Update, you should be okay.

Trooper · Mar 19, 2012

Im confused about this.

So, if we received the Windows Update last Tuesday are we ok? Or not?

This patch here right?

http://technet.microsoft.com/en-us/security/bulletin/ms12-020

ronjor · Mar 19, 2012

You're okay if you keep you Windows Updates current.

Trooper · Mar 19, 2012

ronjor said:

You're okay if you keep you Windows Updates current.
Click to expand...

Thanks Ron.

We're all set here then at work.

Cheers!

Dermot7 · Mar 19, 2012

MS12-020,a use-after-free discovered by Luigi Auriemma, is roiling the Information Security community something fierce. That’s somewhat to be expected — this is a genuinely nasty bug. But if there’s one thing that’s not acceptable, it’s the victim shaming.

As people who know me, know well, nothing really gets my hackles up like blaming the victims of the cybersecurity crisis. “Who could possibly be so stupid as to put RDP on the open Internet”, they ask. Well, here’s some actual data:
Click to expand...

http://dankaminsky.com/2012/03/18/rdp/

Hungry Man · Mar 19, 2012

I agree with Dan 100%. Victim blaming is probably the most common trend in IT. "Well they clicked the link so they deserve it blah blah blah they didn't update the patch so they deserve it." It's ridiculous.

Dermot7 · Mar 20, 2012

As the inquiry into who leaked the proof-of-concept exploit code for the MS12-020 RDP flaw continues, organizations that have not patched their machines yet have a new motivation to do so: A Metasploit module for the vulnerability is now available.
Click to expand...

https://threatpost.com/en_us/blogs/exploit-ms12-020-rdp-bug-moves-metasploit-032012

Dermot7 · Mar 27, 2012

Since the public release of Microsoft's MS12-020 bulletin, there have been plenty of attempts to exploit vulnerabilities in the Remote Desktop Protocol (RDP). Last week, we received a related sample, which turned out to be a tool called "RDPKill by: Mark DePalma" that was designed to kill targeted RDP service.
Click to expand...

https://www.f-secure.com/weblog/archives/00002338.html

Dermot7 · May 3, 2012

Microsoft on Thursday outed a China-based network security company as the one responsible for the leak of information that led to the development proof-of-concept code for a major Windows vulnerability that was patched in March.
Click to expand...

http://www.scmagazine.com/chinese-f...rom-microsoft-sharing-program/article/239594/

Log in or Sign up

[Microsoft]Proof-of-Concept Code available for MS12-020

ronjor Global Moderator

siljaline Registered Member

Dermot7 Registered Member

siljaline Registered Member

Hungry Man Registered Member

siljaline Registered Member

Attached Files:

RDP.jpg

Rmus Exploit Analyst

Newby Registered Member

Attached Files:

Untitled.png

ronjor Global Moderator

ronjor Global Moderator

Trooper Registered Member

ronjor Global Moderator

Trooper Registered Member

Dermot7 Registered Member

Hungry Man Registered Member

Dermot7 Registered Member

Dermot7 Registered Member

Dermot7 Registered Member

Log in or Sign up

[Microsoft]Proof-of-Concept Code available for MS12-020

ronjor Global Moderator

siljaline Registered Member

Dermot7 Registered Member

siljaline Registered Member

Hungry Man Registered Member

siljaline Registered Member

Attached Files:

RDP.jpg

Rmus Exploit Analyst

Newby Registered Member

Attached Files:

Untitled.png

ronjor Global Moderator

ronjor Global Moderator

Trooper Registered Member

ronjor Global Moderator

Trooper Registered Member

Dermot7 Registered Member

Hungry Man Registered Member

Dermot7 Registered Member

Dermot7 Registered Member

Dermot7 Registered Member

Useful Searches