When Microsoft's Patch Tuesday release earlier this week revealed a code execution vulnerability for Remote Desktop Protocol (RDP), we knew it wasn’t a good sign. We didn’t expect the situation to get this dangerous so quickly, however, and neither did Microsoft.
Details continue to surface surrounding the RDP exploit, including allegations that the Microsoft Active Protections Program (MAPP), which provides security vendors patch information ahead of its actual release, has been compromised. According to ZDNet blogger Ryan Naraine, several sources claim that the MAPP was breached by hackers in China. Among those making the accusations is security researcher Luigi Auriemma, whom Microsoft credited with discovering the RDP vulnerability in the first place.
One undisclosed security researcher who spoke to Naraine says he “can say with 100% certainty that MAPP information got into the wrong hands,” a claim that Auriemma supported “with no doubt whatsoever,” Narraine wrote.
Auriemma, in a separate statement emailed to SC Magazine, offers even scarier information for those that are late in making the patch. Two early exploits have been proven to cause the infamous blue screen of death on targeted Windows XP and Server 2003 devices, Auriemma told SC Magazine.
Symantec has since confirmed reports of a Proof of Concept (PoC) for a denial of service attack through the exploit Microsoft tried to patch on Tuesday.
Hackers with access to the MAPP would be able to build and distribute attacks more quickly than their potential targets could protect themselves. Even though Microsoft, and every security researcher I spoke to, urged those running RDP to deploy the patch immediately, “if not sooner,” Microsoft researchers had initially warned in a company blog post that they “anticipate that an exploit for code execution will be developed in the next 30 days.”
Now, some may be wishing for that 30 days.
“The threat level with MS12 -020 is rising rapidly,” Lamar Bailey, director of security research and development for nCircle, says. “Over the weekend attackers will be adding malicious payloads to the exploit code Symantec found and we’ll see that in the wild by Monday, if not sooner. Within a week we’ll see multiple malicious payloads, and it will definitely become a worm.”
Meanwhile, hackers are wasting little time trying to establish a more severe threat, with this financially incentivized request for “a working exploit for CVE-2012-0002 (the new RDP hole) as a Metasploit module” posted on web developer project networking site Gun.io.
If Microsoft’s emphasis of the exploit earlier in the week didn’t grab the attention of enterprise IT, these reports will, especially with the risk level rising as quickly as it is, Bailey says. And it could make for a long St. Patrick's Day weekend.
“Patch it now or pay later,” Bailey says. “This should be at the top of every enterprise security team’s list every day until their entire network is completely patched.”