As a follow-up to its usual Patch Tuesday release this week, officials at Microsoft are warning users that an exploit against the recently disclosed Remote Desktop Protocol (RDP) vulnerability for Windows is likely to come in the next 30 days.
According to a supplementary entry on its Security Research & Defense blog, Microsoft claims the “attractiveness” of the RDP vulnerability may make it especially appealing to hackers.
The hole is one of two vulnerabilities patched by Microsoft Security Bulletin MS12-020 yesterday as part of March’s Patch Tuesday. While the rest of the month’s bulletins ranged from important to moderate, the company rated MS12-020 critical and urged users to patch their systems as soon as possible.
The post, written by MSRC Engineering’s Suha Can and Jonathan Ness, stresses that RDP comes disabled on most computers and client workstations. RDP is a protocol that allows users to remotely access a PC or server. To exploit the vulnerability, hackers would simply need to send malicious packets of information to an RDP-enabled system.
Some security experts have speculated that if exploited the hole could spark the beginning of an onslaught of new worms, some perhaps rivaling Conficker.
In an interview with Computerworld, nCircle Security’s Andrew Storms warned the hole “has all the ingredients for a class worm,” hinting at its ability to allow network execution without authentication, among other traits.
Jason Miller, manager of research and development at VMware, also speaking with Computerworld, guaranteed the vulnerability would be analyzed by hackers.
“Hackers want (vulnerabilities) that don’t require authentication and are in a part of Windows that’s widely used. I guarantee that attackers are going to look at this closely,” Miller said.
Discussing the vulnerability with ZDNet Australia, HackLabs’ director Chris Gatford likened the hole to Microsoft’s critical MS08-067 which allowed attackers to run arbitrary code without authentication to be “used in the crafting of a wormable exploit” in 2008. Four days later, that hole was used by attackers, its exploit code published on the Internet. Eight days later, Conficker launched leading to widespread head scratching from researchers.
While Microsoft claims they haven’t seen any active exploits for MS12-020 yet, it seems it will be a matter of time at this point.