Microsoft’s estimate that it would take ne’er-do-wells 30 days to exploit the recently discovered RDP vulnerability appears to be wide of the mark, following the apparent leaking of working proof-of-concept code.
The flaw, patched by the MS12-020 Security Update released by Microsoft last Tuesday, allows remote attackers to execute code under the ‘system’ privilege level. As the attack requires no authentication, it represents a serious threat to any system running Remote Desktop Protocol (RDP) and connected to the internet – some five million machines, according to security researcher Dan Kaminsky.
In mitigation, Microsoft claimed that the complexity of the flaw meant that it was ‘not trivial‘ to produce a working exploit for the flaw, saying that ‘we would be surprised to see one developed in the next few days.‘ Instead, the company predicted that it would take around 30 days for the vulnerability to be actively exploited, giving affected customers time to review and install the patch or implement a workaround.
Sadly, it looks like Microsoft has been caught by surprise after all: a working proof-of-concept has appeared on the internet, giving attackers the code required to readily and easily exploit the security vulnerability.
The code doesn’t appear to have been developed independently, either. Security researcher Luigi Auriemma, who spotted the flaw and provided a proof-of-concept to Microsoft via TippingPoint’s Zero Day Initiative (ZDI) cash-for-bugs security programme, claims that the public proof-of-concept code contains the exact same packet he crafted in his submission to Microsoft. The implication: somebody at Microsoft or TippingPoint leaked the information to the bad guys.
Microsoft, naturally, denies doing any such thing. Instead, the company claims that the leak may have come from one of its Microsoft Active Protections Programme (MAPP) partners, of which ZDI is a member. ‘The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Programme partners,‘ the company’s director of trustworthy computing Yunsun Wee admits. ‘Consistent with the charter of the MAPP program, we released details related to the vulnerabilities addressed in MS12-020 to MAPP partners under a strict Non-Disclosure Agreement in advance of releasing the security bulletin.‘
‘Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and programme requirements,‘ Wee adds.
Those who have installed the MS12-020 patch, either manually or via Windows Update, are protected against exploitation of the flaw.
This is re-blogged from, http://www.bit-tech.net/news/bits/2012/03/19/leak-outs-rdp-exploit/1