Windows remote desktop protocol exploit code released

This week, Microsoft released a new security update for Windows XP, Windows Vista and Windows 7. The update contained a fix for a flaw that was discovered in Windows' remote desktop protocol that, if used by hackers, could have allowed them to break into a Windows PC to run malicious code.

At the time, Microsoft urged everyone to update their Windows PCs as soon as possible, stating, "Developing a working exploit will not be trivial – we would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days."

Now it looks like that exploit could be created even sooner than Microsoft thought. According to ZDNet.com, Chinese hackers have already released a proof-of-concept code that could allow others to create the exploit for the remote desktop protocol flaw.

Not only does this mean that Windows PC users should get that update installed right now, it also might mean Microsoft could have a security leak. The article states that the company runs a program called Microsoft Active Protections Program, or MAPP. The program is designed to give companies such as anti-virus makers and corporate security groups a heads-up on any exploits Microsoft has discovered 24 hours before a Windows security update is released.

The fact that a hacker group has already created code that could be used to go after the Windows remote desktop protocol flaw may mean that someone, either at Microsoft or at one of the companies in the MAPP group, leaked out that information. So far, Microsoft has yet to comment on if it has found such a leak.

Report a problem with article
Previous Story

Microsoft launches "Irish Spring" IE 10 HTML5 web site

Next Story

J.D. Power: iPhone tops consumer smartphone satisfaction... again

24 Comments

Commenting is disabled on this article.

Simon- said,
Does it affect Windows 2000 too, considering there is not patch for it?

I would say if you have RDP open then yes and there wont be a patch for an EOL SOL OS like win2k

warwagon said,
Yay more work for computer repair shops!

Nobody ever installs updates! It frightens people!

Well it's disabled by default, but a lot of places still have RDP on for various reasons.

warwagon said,
Yay more work for computer repair shops!

Nobody ever installs updates! It frightens people!

How many people have RDP open to the outside?

'Now it looks like that exploit could be created even sooner than Microsoft thought. According to ZDNet.com, Chinese hackers have already released...'
Let's just go back to stuxnet, with it's multiple 0day vulnerabilities that no-one knew about and being signed with various legitmate keys...
There's ALWAYS going to be big security holes, and there's ALWAYS gonna be some places that know about them a LONG time before the public or companies know about them. Pretty sure there's been code to exploit this flaw for a lot longer than a day.

n_K said,
'Now it looks like that exploit could be created even sooner than Microsoft thought. According to ZDNet.com, Chinese hackers have already released...'
Let's just go back to stuxnet, with it's multiple 0day vulnerabilities that no-one knew about and being signed with various legitmate keys...
There's ALWAYS going to be big security holes, and there's ALWAYS gonna be some places that know about them a LONG time before the public or companies know about them. Pretty sure there's been code to exploit this flaw for a lot longer than a day.

I was wondering that. May not be a leak as much as something someone had already found and had kept quiet about it. Now that it's patched, there's no reason to keep quiet.

Edit: Ahh, no. I read the ZDNet article and it sounds like it's not just something someone else created too, it was identical and could only have been a leak. That's not a good sign for MS.

More likely the fact MS publicized the crap out of patch (appropriately so imho) also got every hacker groups attention to focus on it, given the language MS used it sounded to me from the get go like MS knew groups were already working up exploit code, be it via a mapp leak, a ZDI leak or other intel about ongoing activities.


Edited by knighthawk, Mar 16 2012, 6:38pm :

ShMaunder said,

Oh thats nasty, and far more serious than I first thought. I've never trusted exposing RDP to the internet. Instead I tunnel port 3389 over SSH.

I gotta agree here. Leaving RDP wide open to the Internet is beyond silly. Something like that should always be behind VPN or an SSH tunnel or something. This exploit shouldn't be too concerning if you have decent security. It could still be an issue internally though if you just secure it with VPN, but with the SSH tunnel you should be safe internally and externally.

ShMaunder said,
So this exploit doesn't affect the Windows Server family, right?

It affect any Windows computer that has Remote Desktop Protocol enabled.

That include Windows Servers.

illegaloperation said,

It affect any Windows computer that has Remote Desktop Protocol enabled.

That include Windows Servers.


I assumed it affected only the desktop versions as this was the only things mentioned in the article. I think the article should at least list the affected platforms.

knighthawk said,

Get yourself patched.

Yep, sure will