Microsoft warns: Expect exploits for critical Windows worm hole

[humble3d]

Microsoft warns: Expect exploits for critical Windows worm hole

By Ryan Naraine | March 13, 2012, 11:12am PDT

Summary: There’s a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol.

Attention Microsoft Windows administrators: Stop what you’re doing and apply the new — and very critical — MS12-020 update.

Microsoft is warning that there’s a remote, pre-authentication, network-accessible code execution vulnerability in its implementation of the RDP protocol.

From the bulletin:

A remote code execution vulnerability exists in the way that the Remote Desktop Protocol accesses an object in memory that has been improperly initialized or has been deleted. An attacker who successfully exploited this vulnerability could run abitrary code on the target system. An attacker could then install programs; view,change, or delete data; or create new accounts with full user rights.

The vulnerability, which affects all versions of Windows, was privately reported to Microsoft’s via the ZDI vulnerability broker service and the company said it was not yet aware of any attacks in the wild.

Although RDP is disabled by default, Microsoft is urging all Window users to treat this issue with the utmost priority.

“Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days,” Microsoft said.

follow Ryan Naraine on twitter

It’s important to note that the vulnerable code is reachable only if RDP is enabled and a mitigation feature in RDP called NLA (network level authentication) moves it to post-authentication which makes this vulnerability less likely to be wormed. There are instructions here to enable NLA on Windows to reduce the severity of a potential attack.

Microsoft confirms MAPP proof-of-concept exploit code leak

By Ryan Naraine | March 16, 2012, 2:18pm PDT

Summary: The smoking gun that the leak came from Microsoft’s information was contained in a string found in the Chinese proof-of-concept.

An embarrassing leak within the Microsoft Active Protections Program (MAPP) has led to the publication of proof-of-concept code for a serious security hole in all versions of Windows, Microsoft confirmed late Friday.

The company’s confirmation of the MAPP leak follows the release of code on a Chinese-language forum that provides a roadmap for hackers to launch remote code execution attacks against a flaw in Microsoft’s implementation of the RDP protocol.

The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.

According to Yunsun Wee, a director in Microsoft’s Trustworthy Computing group, the public public proof-of-concept code results only in denial-of-service crashes against unpatched Windows systems.

[ SEE: Exploit code published for RDP worm hole; Does Microsoft have a leak? ]

“We continue to watch the threat landscape and we are not aware of public proof-of-concept code that results in remote code execution,” Wee added.

We recommend customers deploy MS12-020 as soon as possible, as this security update protects against attempts to exploit CVE-2012-0002. Additionally we have offered a one-click Fix It to help mitigate risk for those customers who need time to test the update before deploying it,” she added.

Microsoft did not address details of the MAPP leak, which effectively gave outsiders advance notice — and proof-of-concept code — about the vulnerability before the patch was released. The company made it clear that security vulnerability details are provided to MAPP partners “under a strict Non-Disclosure Agreement” but there’s no word on whether the leak came from a third-party or from Microsoft’s own internal process.

The company declined to provide a spokesperson for a full interview.

[ SEE: Microsoft: Expect exploits for critical Windows worm hole ]

The smoking gun that the leak came from Microsoft’s information was contained in a string found in the Chinese proof-of-concept. It references “MSRC11678,” which is the Microsoft Security Response Center case number that was assigned to the vulnerability when it was reported by TippingPoint Zero Day Initiative (ZDI)

Even without that string, researcher Luigi Auriemma said he was 100% sure the leak came from Microsoft because of of several unique characteristics.

Auriemma, who was credited with finding and reporting the vulnerability, has published details of those characteristics alongside some not-so-veiled criticisms of the software vendor.

Separately, exploit writers at Core Security has pushed out a “commercial grade exploit” to its IMPACT pen-testing tool. Core said its exploit triggers a memory corruption vulnerability in the Remote Desktop Service by sending a malformed packet to the 3389/TCP port. It is currently shipped as a denial-of-service module in IMPACT.

Security researchers have set up a special website (http://istherdpexploitoutyet.com/) to monitor the creation and release of exploits targeting this vulnerability.

http://www.zdnet.com/blog/security/microsoft-confirms-mapp-proof-of-concept-exploit-code-leak/10872?tag=content;siu-container

SEE ALSO: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)