Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

So if you missed our previous blog post on the MS Patch Tuesday earlier this week, or missed any of the several dozen news articles, there was a pretty serious hole patched up in the latest update from Redmond. Microsoft calls it 'critical' and numbered it MS12-020. It is a hole in RDP or the Remote Desktop Protocol, you know, what you use to see the screen of all those remote servers you have in the server room so you don't have to get up and walk across the office into that cold noisy place to tweak some minor setting on a system. Or maybe you use RDP to check on that system at home while you are in the office, or on the system at the office while you are at home, or at the other office. Pretty damn useful, and a pretty damn big hole.

Now Microsoft has released a patch for this so a lot of people say, "Great, I'll just apply the patch." But the thing is, a LOT of people won't apply the patch, because they didn't hear about the hole or they don't care. So they are sitting there with their servers and workstations blowing in the breeze so to speak, just waiting for someone to come by and exploit this nice RDP hole.

Ahh, but that's the other problem. While Microsoft has released a patch to fix the hole, they didn't actually tell anyone where the hole was. So now the race is on, by both good guys and bad guys alike. Some people are saying that the bad guys already now where the hole is and are exploiting it secretly. The good guys want to know where the hole is so they can scan for it, use it in penetration tests, and generally protect people.

The first thing we noticed was an analysis of the patch. If you compare the patch to the original you can find out what it was that changed. This gives you a real good idea of where to start looking for the hole. And there are a whole bunch of people actively looking for this hole, a bunch of them are hanging out on IRC (Freenode #ms12-020)

The race for a working exploit of MS12-020 is so dramatic there is even a bounty for the fist working Metasploit module for this hole. When we last checked it was up to $1451. The first person to create a successful proof of concept (PoC) in the popular pentesting tool, Metasploit, takes it all.

But there is some other stuff out there too, as we came across a website in China talking about the vulnerability with a screenshot that looks like they might actually have a working exploit for MS12-020. However, the surrounding text makes it seem unclear. So we are unsure of what to make of this post yet.

And then there was a post to pastebin that claimed to be a working exploit. If you looked closely however you could see at the top in the comments the email address was listed as sabu@fbi.gov. That makes things a little suspicious but if you actually attempted to run what was posted you could have put yourself into a world of hurt, as it did not appear to be a working exploit of MS12-020, but instead had traces to an Apache exploit from 2008.

So if you haven't installed the MS12-020 yet, by all means, do so immediately! If you looking for the hole yourself, be careful and look closely at what gets posted.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo