Working exploit for MS12-020 RDP flaw found
The vulnerability in Microsoft’s Remote Desktop Protocol (RDP) implementation (MS12-020) – a patch for which has been released by during the last Patch Tuesday – has been deemed critical enough to warrant a an immediate implementation of the patch, as it was expected that an exploit for the vulnerability would pop up in the wild in fewer than 30 days.
But, as it turns out, it took only one.
According to Threatpost, a working exploit has surfaced on a Chinese download site and researchers who have analyzed it have confirmed that it triggers a blue-screen-of-death scenario on computers running Windows 7 and a DoS condition on those with Windows XP.
The speed with which a working exploit has found its way to the public has probably surprised a lot of people, but there seems to be a good explanation for it: the exploit code found on the Chinese site contains the exact packet that Luigi Auriemma – a well-known researcher that first spotted the flaw in question – sent to TippingPoint’s Zero Day Initiative along with details about the vulnerability.
The packet and the advisory were after that forwarded to Microsoft, and have ultimately been shared by the company with the members of its Microsoft Active Protection Program (MAPP) – a circle of vetted security companies that receive the information before Patch Tuesday so that they implement defenses against the exploits in their offerings.
It is still unknown who leaked the information and why, but Auriemma seems entirely positive that it’s his PoC code, so he published it and the corresponding advisory on his page.