Microsoft warns: Expect exploits for critical Windows worm hole

Microsoft warns: Expect exploits for critical Windows worm hole

Summary: There's a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft's implementation of the RDP protocol.


Attention Microsoft Windows administrators: Stop what you're doing and apply the new -- and very critical -- MS12-020 update.

Microsoft is warning that there's a remote, pre-authentication, network-accessible code execution vulnerability in its implementation of the RDP protocol.

From the bulletin:

A remote code execution vulnerability exists in the way that the Remote Desktop Protocol accesses an object in memory that has been improperly initialized or has been deleted. An attacker who successfully exploited this vulnerability could run abitrary code on the target system. An attacker could then install programs; view,change, or delete data; or create new accounts with full user rights.

The vulnerability, which affects all versions of Windows, was privately reported to Microsoft's via the ZDI vulnerability broker service and the company said it was not yet aware of any attacks in the wild.

Although RDP is disabled by default, Microsoft is urging all Window users to treat this issue with the utmost priority.

"Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days," Microsoft said.

follow Ryan Naraine on twitter

It's important to note that the vulnerable code is reachable only if RDP is enabled and a mitigation feature in RDP called NLA (network level authentication) moves it to post-authentication which makes this vulnerability less likely to be wormed.  There are instructions here to enable NLA on Windows to reduce the severity of a potential attack.

[ SEE: Ten little things to secure your online presence ]

The Remote Assistance feature in Windows (see image above) provides checkboxes for users to choose between “more secure” and “less secure”.   On machines where RDP is enabled in the “less secure" mode, nothing blocks pre-auth code execution once a stable exploit is developed.

This issue is potentially reachable over the network by an attacker before authentication is required. RDP is commonly allowed through firewalls due to its utility. The service runs in kernel-mode as SYSTEM by default on nearly all platforms (except for one exception described below). During our investigation, we determined that this vulnerability is directly exploitable for code execution. Developing a working exploit will not be trivial – we would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days.

In all, Microsoft shipped six security bulletins as part of this month's Patch Tuesday batch.  The updates address seven documented vulnerabilities in Microsoft Windows, Visual Studio and Expression Design.

Topics: Operating Systems, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Microsoft warns: Expect exploits for critical Windows worm hole

    No point in people trying to write exploit code since this vulnerability is just about dead. A patch is out, RDP is disabled by default, no code is written and won't be for another 30 days. That is 3 strikes against those malicious script kiddies. Nothing that the Microsoft Windows Automatic Updates can't fix for you.
    Loverock Davidson-
    • Sure, those MCSEs aren't known for having this port open

      For administration, particulary on their servers.

      Its been a while since we've had a solid windows worm.
      Richard Flude
      • Give it a rest.'ve been using the MCSE crap for years. Time for some new material.
      • Mcitp

        Mcse is so 2003, the last 4 years, the highest server admin certification is called mcitp. And no there might be many mcitp that have 3389 open on servers, and certainly the 2008 and up boxes have nla enabled by default, I don not know many mcitp's that let that traffic cross the corporate firewall on either side of the dmz.

        And a good mcitp will make sure the patch provided today will get applied to all those servers AND all of the clients they might administer/support.
      • So are most of the ABMers arguments.

        @sjaak327: [i]Mcse is so 2003...[/i]
      • I though Loverock davidson was the only solid windows worm........

        but than again he mutates every other day from something to nothing and than back again .....what would the world be like without Loverock davidson .....can you amagin a world with nothing but apples ......I can.......
        Over and Out
      • Ye, surprisingly it may as well be 2003

        MCSEs haven't got any better. Those of us seeing these clowns CVs still have them touting their "qualification". Strange ye continues to post the same (sooky) material.

        sjaak327 says the MCSE will patch today without testing, going through change control, informing users of an outage and preparing an impact statement? What am I saying of course they will, then click reboot (whilst crossing fingers).

        Many corporate servers will have RDP exposed on the LAN to a number of users just waiting for one to open something to begin an attack from within (happens all the time).

        Hard to compete with the skills and experience of the NBMers;-)
        Richard Flude
      • I agree!

        @Richard Flude: [i]Ye, surprisingly it may as well be 2003[/i]

        Given your inability to come up with an original argument since then.
      • 2003 the blaster worm

        Then Ye, with his knowledge would have known that.

        It attacked a patched vulnerability.
        Richard Flude
      • Yep, I feel like I'm back in 2003.

        [i]2003 the blaster worm[/i]
      • Already submitted to change control

        Running the installs on our test environment tonight to test for any issues. No servers have RDP enabled to the outside world. NLA is enabled on everything but the handful of 2003 servers we still have. We'll have this deployed within a week due to the critical nature. A properly functioning change control system allows for such rapid deployment. Although this is the first time we've had to use it.

        RDP is disabled on all desktop systems company wide via GPO already so no issue there. We'll let that patch roll out via normal WSUS testing and deployment.

        But you're right, this will still hit some people and people like you will blame MS. There's not much they can do besides provide patches. A responsible IT department is already working on this. A lot of them aren't responsible. And it doesn't matter what "certs" they have, I've found incompetent Linux admins. They are more rare as Linux is more difficult to use. But it does happen.
      • Doesn't count anyway.

        @LiquidLearner: According to the ZDnet forum qualifications if it's not enabled by default it doesn't count. But that won't stop his double standard.
      • MCSEs haven't got any better

        [i]MCSEs haven't got any better. Those of us seeing these clowns CVs still have them touting their "qualification". Strange ye continues to post the same (sooky) material.[/i]

        I agree. Like changing the cert name and updating it will end the same kind of mistakes they made back in 2003?


    • that's right officer barbrady nothing to see here...

      that's right officer barbrady nothing to see here... seeing that in many corporations RDP is turned on so that admins can get into machines remotely, or how about the home user that doesn't pay for and use some site like gotomypc ... I could go on ... but obviously you should see @loverockdavidson is wrong about not worrying about exploit code. arrogance mr davidson is the first thing you give to your attacker and the first thing you realize you were wrong in when you get cracked.
      • @TG2 is correct

        Let those who underestimate the adversary die a painful death and never work again. 30 days my a$$. Someone already has the script(s). This is all MS hype. I would suggest you all cover your a$$.
    • Errrr. Think again.

      You have the twits [mostly in developing countries] who don't install security updates because they have a pirated copy of Windows.
      Then you have some who aren't on the latest supported service pack for threir OS. I know of someone a while back who noticed that he wasn't getting any security updates. At one point, when asked, he didn't want to install SP2 for Vista.
  • Got the alerts on my WSUS server

    Approved and pushed out just like every patch tuesday.
    • Wondering.....

      You push them out immediately to [potentially] hundreds of computers without testing or verification? When I was running a WSUS server for a company, they came out on Tuesday afternoon and I'd generally install them Thursday night after checking various forums to see if anyone encountered any issues [we were small enough that we couldn't really test]. Only exception would be anything that was really out of the ordinary. Behind as firewall, so RDP isn't a major issue.
      • RE: Wondering

        Not always. Critical and Security patches usually go out with little forethought and while there is always the potential for an issue it is very minimal in my experience. That being said I do test patches in VM that is loaded with just about every application my users use before pushing them out but mainly on non-critical or essential updates and/or service packs.

        Servers are a different story and I am very selective on what I update on those.
  • Microsoft's Critcal Fixes

    I find it amazing that they make it public and explain exactly how to exploit the vulnerablility. So, if a hacker wasn't sure how to go about it, they will know now. I patch all the systems anyway, but it makes me laugh.