Jim Walter is manager of the McAfee Threat Intelligence Service (MTIS) for the Office of the CTO. He focuses on new ...
See March 15 and 16 updates at the end of this blog.
The March Security Bulletin release from Microsoft was relatively light in volume. Out of the six bulletins released, only one was rated as Critical.
And for good reason. MS12-020 includes CVE-2012-0002. This flaw is specific to the Remote Desktop Protocol (RDP) present on most current versions of Microsoft Windows. The RDP service, by default, listens on TCP port 3389. And because it’s so darn convenient, lots of people like to open their firewalls/ingress points to the traffic.
This is a bad/dangerous/insecure thing. (Choose your own favorite term.) I hope this issue (and many others before it) will influence anyone’s decision-making process when it comes to network hardening, external access, etc.
This is certainly not the first flaw in RDP. It is quite significant in that it does not require authentication to exploit the flaw–just a firing of some specially crafted packets. From that point the world (or the world that the compromised host lives in) is the attacker’s oyster. This is especially bad because the RDP service runs in kernel mode, under the System account (in most cases).
Keep in mind that it is very easy and takes little time to find targets. You see this type of situation all too often:
This situation very quick leads to an intruder’s trying to login via brute force, or trying something new (like the flaw described in MS12-020) !
So, what can you do to protect your environment?
McAfee, Microsoft, and others firmly recommend that you prioritize the deployment of the MS12-020 update.
McAfee Coverage Data
Coverage exists in:
——————- UPDATES ———————————
March 15: McAfee Labs has observed in-the-wild proof-of-concept code targeting this vulnerability. There are a few varied samples that we are both monitoring and analyzing. At this time the coverage/mitigation data already in this post is still valid.
We are continuing to monitor this situation and will provide updates as needed. An updated MTIS Security Advisory has been sent to subscribers.
To stay up to date on these and other critical security events, please subscribe to our McAfee Threat Intelligence Alerts.
March 16: The last 24 hours have been a virtual flood of proof of concept (PoC) and exploit details. Some of these are reliable; some are not.
Tags: Cyber Security Mom, Cybercrime, data breach, Data Protection, Endpoint Protection, enterprise, global threat intelligence, labs, malware, McAfee Labs, Microsoft Security Bulletin, MS12-020, Network Security, Risk and Compliance