Bounty for Patched RDP Exploit

Friday, March 16, 2012 @ 01:03 PM gHale


Patch Tuesday brought about its usual promise of mitigations to fill holes in software, but the reality is vulnerabilities get fixed, but how quickly does anyone apply the solution?

In a race against time, a web site that bills itself as a place where independent and open source software developers can hire each other has secured promises to award at least $1,435 to the first person who can develop a working exploit that takes advantage of a dangerous security hole in all supported versions of Microsoft Windows, according to a published report on KrebsonSecurity.

RELATED STORIES
Microsoft Shuts RDP Hole
Mozilla Firefox 11 Ready to Go
IE 10 Tougher to Crack
Patch Tuesday Fixes Critical Holes

That reward will go to any developer that can devise an exploit for one of two critical vulnerabilities Microsoft patched on Tuesday in its Remote Desktop Protocol (RDP), which allows administrators control and configure machines remotely over a network.

While there may be exploits out there already as there are unconfirmed reports one ready and posted to Chinese-language forums.

The bounty comes from contributors to gun.io, a site that advances free and open software. The bounty offered for the exploit is less than the price such a weapon could command the underground market, or even what a legitimate vulnerability research company might pay. But the site shows promise for organizing a grassroots effort at crafting exploits to test the security of desktops and the networks.

“We’re trying to advance the culture of independent software development – so we’ve made a place where indie developers can find other devs to help work on their projects and find gigs to work on when they need cash,” gun.io explains on the About section of the site.



Leave a Reply

You must be logged in to post a comment.