Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Race for MS12-020

So if you missed our previous blog post on the MS Patch Tuesday earlier this week, or missed any of the several dozen news articles, there was a pretty serious hole patched up in the latest update from Redmond. Microsoft calls it 'critical' and numbered it MS12-020. It is a hole in RDP or the Remote Desktop Protocol, you know, what you use to see the screen of all those remote servers you have in the server room so you don't have to get up and walk across the office into that cold noisy place to tweak some minor setting on a system. Or maybe you use RDP to check on that system at home while you are in the office, or on the system at the office while you are at home, or at the other office. Pretty damn useful, and a pretty damn big hole.

Now Microsoft has released a patch for this so a lot of people say, "Great, I'll just apply the patch." But the thing is, a LOT of people won't apply the patch, because they didn't hear about the hole or they don't care. So they are sitting there with their servers and workstations blowing in the breeze so to speak, just waiting for someone to come by and exploit this nice RDP hole.

Ahh, but that's the other problem. While Microsoft has released a patch to fix the hole, they didn't actually tell anyone where the hole was. So now the race is on, by both good guys and bad guys alike. Some people are saying that the bad guys already now where the hole is and are exploiting it secretly. The good guys want to know where the hole is so they can scan for it, use it in penetration tests, and generally protect people.

The first thing we noticed was an analysis of the patch. If you compare the patch to the original you can find out what it was that changed. This gives you a real good idea of where to start looking for the hole. And there are a whole bunch of people actively looking for this hole, a bunch of them are hanging out on IRC (Freenode #ms12-020)

The race for a working exploit of MS12-020 is so dramatic there is even a bounty for the fist working Metasploit module for this hole. When we last checked it was up to $1451. The first person to create a successful proof of concept (PoC) in the popular pentesting tool, Metasploit, takes it all.

But there is some other stuff out there too, as we came across a website in China talking about the vulnerability with a screenshot that looks like they might actually have a working exploit for MS12-020. However, the surrounding text makes it seem unclear. So we are unsure of what to make of this post yet.

And then there was a post to pastebin that claimed to be a working exploit. If you looked closely however you could see at the top in the comments the email address was listed as That makes things a little suspicious but if you actually attempted to run what was posted you could have put yourself into a world of hurt, as it did not appear to be a working exploit of MS12-020, but instead had traces to an Apache exploit from 2008.

So if you haven't installed the MS12-020 yet, by all means, do so immediately! If you looking for the hole yourself, be careful and look closely at what gets posted.

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More