December 9, 2016

Microsoft’s RDP Bug Exposing 5 Million Hosts to Potential Attack

(LiveHacking.Com) – The impact of the RDP bug which Microsoft patched as part of this month’s Patch Tuesday is continuing to grow. Dan Kaminsky, who is best known for his work finding a critical DNS and for helping to fix it, has initiated a scan of the Internet and by extrapolating the data from the 8% sample (some 300 million IP addresses) it seems that there are about five million RDP endpoints on the Internet today.

With a proof of concept exploit already circulating in the wild this means that, unless updated to apply the latest patches, these five million servers are vulnerable to a real, palpable attack. Not a theoretical vulnerability but real exposure. Since RDP is the way most Windows systems are remotely administered, this vulneravility is now being seen on a whole different scale.

“There’s a very good chance that your network is exposing some RDP surface. If you have any sort of crisis response policy, and you aren’t completely sure you’re safe from the RDP vulnerability, I advise you to invoke it as soon as possible,” wrote Dan on his blog.

For those who haven’t yet applied Microsoft’s patches there is a way to substantially reduce the risk on Windows Vista and later systems where RDP is enabled: By enabling Remote Desktop’s Network Level Authentication (NLA) users are forced to authenticate before a remote desktop session is established. On systems with NLA enabled, the vulnerable code is still present and could potentially be exploited for code execution. However, NLA would require an attacker to first authenticate to the server before attempting to exploit the vulnerability.  You can find instructions here to enable NLA.

Microsoft Release a Critical Remote Desktop Fix for Patch Tuesday

(LiveHacking.Com) – Microsoft’s ‘Patch Tuesday’ was relatively small this month with just one Critical bulletin issued. The patch (MS12-020) addresses an issue in the Remote Desktop Protocol (RDP). The vulnerability, which was privately reported to Microsoft, could allow an attacker to achieve remote code execution on a machine running RDP. If the machine does not have Network Level Authentication (NLA) enabled, the attacker would not require authentication for RCE access. To launch the attack, the hacker needs to send a sequence of specially crafted RDP packets to an affected system. However by default the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system and therefore systems that do not have RDP enabled are not at risk.

The rest of the bulletins issued by Microsoft comprise of four Important issues and a single Moderate one. In total these bulletins address seven issues in Microsoft Windows, Visual Studio, and Expression Design.

The remaining bulletins are:

  • MS12-017 – Vulnerability in DNS Server Could Allow Denial of Service. This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote unauthenticated attacker sends a specially crafted DNS query to the target DNS server.
  • MS12-018 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege. This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
  • MS12-021 – Vulnerability in Visual Studio Could Allow Elevation of Privilege. This security update resolves one privately reported vulnerability in Visual Studio. The vulnerability could allow elevation of privilege if an attacker places a specially crafted add-in in the path used by Visual Studio and convinces a user with higher privileges to start Visual Studio. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
  • MS12-022 – Vulnerability in Expression Design Could Allow Remote Code Execution. This security update resolves one privately reported vulnerability in Microsoft Expression Design. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .xpr or .DESIGN file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Microsoft Expression Design could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .xpr or .DESIGN file) from this location that is then loaded by a vulnerable application.
  • MS12-019 – Vulnerability in DirectWrite Could Allow Denial of Service. This security update resolves a publicly disclosed vulnerability in Windows DirectWrite. In an Instant Messager-based attack scenario, the vulnerability could allow denial of service if an attacker sends a specially crafted sequence of Unicode characters directly to an Instant Messenger client. The target application could become unresponsive when DirectWrite renders the specially crafted sequence of Unicode characters.