Patch Tuesday also Exploit Tuesday

Monday, March 19, 2012 @ 03:03 PM gHale


Microsoft patched it, but that didn’t stop the attackers.

There is now a confirmed working exploit for the RDP vulnerability in Windows and researchers said it is capable of either crashing or causing a denial-of-service (DoS) on vulnerable machines. Microsoft warned customers about the possibility of the exploit surfacing quickly and advised them to patch the flaw immediately. The researcher who discovered the vulnerability said the packet he included in his original advisory was in the exploit.

RELATED STORIES
Bounty for Patched RDP Exploit
Microsoft Shuts RDP Hole
Mozilla Firefox 11 Ready to Go
IE 10 Tougher to Crack

The exploit surfaced on a Chinese download site and researchers have been able to confirm it causes a blue screen of death on some systems and a DoS condition on other versions of Windows.

Experts said the RDP bug, discovered by Luigi Auriemma, has the potential to be the basis of a large-scale worm and the existence of a working exploit is the first step down that road. The exploit will produce a blue screen of death on Windows 7 and a DoS on Windows XP.

Microsoft released its patch on Tuesday and the exploit code was on the Chinese site that same day. Microsoft Active Protection Program (MAPP) members get the data on the patched flaws a day or more before the patches release to the public. This month, MAPP information went out about 24 hours before the patch release.

Auriemma said the exploit code found on the Chinese site contains the exact packet that he sent to TippingPoint’s Zero Day Initiative in his original advisory on the vulnerability. ZDI engineers typically confirm the bug, work up a protection signature for TippingPoint’s appliances and then send the data on to the affected company.

In addition to the code from Auriemma, researchers said there was additional information in the exploit found on the Chinese site that was only available to MAPP members. One researcher said he was positive there had been a leak somewhere along the chain, but wasn’t sure where it had occurred.



Leave a Reply

You must be logged in to post a comment.