Microsoft said that it has not seen any evidence that hackers have figured out a way to take advantage of a critical vulnerability in the Windows Remote Desktop Protocol (RDP) that the company disclosed and patched on Tuesday. The statement comes in the wake of unconfirmed reports of working exploits for the RDP hole circulating online on Thursday.
Yunsun Wee, the director of Trustworthy Computing at the Redmond, Washington company said that Microsoft was recommending customers deploy the patch, MS12-020, as soon as possible to close a critical hole in the RDP protocol, a standard component used to allow remote access to Windows desktops. But the Director said that the company still hasn’t seen any evidence that cyber criminals or others had figured out how to exploit the hole yet.
“We have not seen any evidence pointing to public exploit code or active attacks for the issue addressed by MS12-020,” she said in an e-mail statement.
There were unconfirmed reports Thursday of exploits circulating online. Researchers at Kaspersky Lab discovered a post on a Chinese-language blog called (roughly translated) “Warm Months Seamless.” the post claims to be a working, proof of concept exploit for the MS12-020 vulnerability and was posted on Thursday by hurricane_81, the blog’s author. The post contained the payload of the alleged exploit, though Kaspersky Lab Senior Whitelisting Analyst Mikhail Gorshenin said he couldn’t confirm that the exploit worked.
In an unrelated post, Russian security researcher Valery Marchuk wrote on the Web site SecurityLab.ru, that he had discovered a functional exploit for the MS12-020 hole on a Chinese Web site, forgeting.com. That site was unreachable when Threatpost tried to confirm Marchuk’s report. but Marchuk included a screenshot that appeared to show a compiled exploit being used to compromise a vulnerable Windows Server 2003 system. It is unclear if the exploit observed by Securitylab is the same as the exploit posted on the hurricane_81 exploit or different or if either is valid and functioning.
Microsoft issued a fix for the RDP hole on Tuesday and advised customers to apply it immediately, citing the “attractiveness” of the RDP hole, which could give remote attackers complete control over a vulnerable system. The company strongly urged its customers to apply the fix immediately, saying it expected live exploits of it to begin sicrulating within a month.
Experts have warned that the hole could give rise to a new family of worms such as Conficker.