mailing list archives
RE: Regarding MS12-020
From: "Thor \(Hammer of God\)" <thor () hammerofgod com>
Date: Tue, 20 Mar 2012 20:43:40 +0000
Actually, the tool included (which I will post here since it would be quite difficult to pull the code from the PDF)
mitigates WS03 as well. Mathematically, there is a 1 in 4 billion chance someone could establish an RDP session, but
applicably, no one ever would.
Security in depth, and least privilege. It works :)
From: Jim Harrison [mailto:Jim () isatools org]
Sent: Tuesday, March 20, 2012 1:28 PM
To: Thor (Hammer of God); 'bugtraq () securityfocus com'
Subject: RE: Regarding MS12-020
Gee, Tim - someone might think you had an axe to grind <ducks swinging
I know; Thor has a hammer, but it still works (barely).
One thing worth mentioning is that there is no mitigation for those who are
still stuck using WS03, since NLA doesn't exist prior to Vista.
Those deployments are also great examples of what happens when layer-8 is
the primary motivating factor in the security choices you make.
From: Thor (Hammer of God) [mailto:thor () hammerofgod com]
Sent: Tuesday, March 20, 2012 8:12 AM
To: 'bugtraq () securityfocus com'
Subject: Regarding MS12-020
PoC code for MS12-020 (RDP) is obviously floating about, and many are still
worried about worm activity from this.
One of my criticisms about this industry is that rarely is mitigation information
shared or discussed; people seem to concentrate on breaking and not
preventing exploitation. I wanted to point out that anyone who followed the
processes or techniques in my RDP chapter of Thor's Microsoft Security Bible
(or used the tool I wrote for RDP access) would have been automatically
protected from this vulnerability. That is not a point of ego, just a point of
If you are concerned with RDP security, as you should be, you can read most
(if not all) of Chapter 7 for *free* using the Amazon "preview a page" feature.
If the RDP vulnerabilities have caused you any level of concern, then I suggest
you do. Like I said on the FD list, I'm far more concerned with making sure
people get the information they need (for free of course) than I am trying to
earn a buck - anyone who knows me knows I've always freely shared all
information in an effort to contribute to security.
The first think I will tell you is to always use NLA (network level
authentication). It can be a very powerful way to obviate exploitability. The
rest of the information is all right there gratis for your viewing pleasure.
If you are in a pinch and need help with any of this, I'll try my best to help if
you want to ping me offline. Thanks.
Timothy "Thor" Mullen
There's no need to think outside the box if you don't think yourself into to