Incidents

Update to this Month’s Patch Tuesday Post on MS12-020/CVE-2012-0002


The twitter infosec sphere last night and the blogosphere this morning is in a bit of a frenzy about the public leak of a DoS PoC targeting CVE-2012-0002, the RDP pre-auth remote. This vulnerability was highlighted at our previous Securelist post on this month’s patch Tuesday “Patch Tuesday March 2012 – Remote Desktop Pre-Auth Ring0 Use-After-Free RCE!“. First off, patch now. Now. If you can’t, use the mitigation tool that Microsoft is offering – the tradeoff between requiring network authentication and the fairly high risk of RCE in the next couple of weeks is worth it. You can see the list of related links on the side of this page, one was included for MS12-020.



Some interesting additional information has surfaced about the vulnerability, including the fact that the bug was generated in May of 2011 and “reported to Microsoft by ZDI/TippingPoint in August 2011”. The researcher, Luigi Ariemma, discusses that this work wasn’t disclosed by him (often, he fully discloses his work). After some careful investigation of the poorly coded “rdpclient.exe” posted online in Chinese forums, he found that it was a cheap replica of the unique code he provided to ZDI and in turn, Microsoft, when privately reporting the bug. This is bad. And already, researchers with connections to Metasploit open source exploit dev like Joshua Drake are tightening up the code, developing and sharing improved PoC. As Microsoft pointed out, confidence in the development of a reliable public exploit within 30 days is very high.



Regardless, the implications of a leak in the highly valuable MAPP program could hinder strong and important security efforts that have been built on years of large financial investment, integrity, and maturing operational and development processes. Thoughts and opinions on the leak itself can be found over at Zero Day. At the same time, I think that this event may turn out to be nothing more than a ding in the MAPP program’s reputation, but it’s important that this one is identified and handled properly. With the expansion of the program, an event like this one is something that certainly should have been planned for.



UPDATE: Early this afternoon over at the MSRC blog, Microsoft acknowledges that the PoC leaked on Chinese forums “appears to match the vulnerability information shared with MAPP partners“, note that an RCE exploit is not publicly circulating just yet, advises patching or mitigating with the Fix-It, and initiates investigation into the disclosure.

Update to this Month’s Patch Tuesday Post on MS12-020/CVE-2012-0002

Your email address will not be published. Required fields are marked *

 

Reports

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

APT trends report Q1 2021

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Subscribe to our weekly e-mails

The hottest research right in your inbox