Security Updates and Exploit Code

  • Article

In our last update cycle we published the security bulletin MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution. Relatively soon after the release, there was a public exploit code available - we informed here: Proof-of-Concept Code available for MS12-020.

This would not necessarily make me blog as it is a fairly common scenario – unfortunately. In all the different discussion lists internally, I realized that a there was a lot of confusion and nervousness internally and with our customers, which I definitely can understand.

I just wanted to make sure, that you understand and see all the resources you have available to take an informed decision. We basically give you two assessments: A Severity Rating and Vulnerability Impact and an Exploitability Index:

  • The Security Rating and Vulnerability Impact describes how severe the vulnerability is and is described here in detail. If there are default mitigations in place, there is a chance that a vulnerability rating is lower. What is important is, that our assessment is always based on a default, out-of-the-box installation. If you decide to switch off the firewall, obviously there is a good chance that your risk is higher than flagged in our assessment.
  • The Exploitability Index shows how likely we think an exploit is. We provide this information since late 2008 but it seems still not too well known – it is described here. You always find it in the bulletin summary per month.

Let’s apply this now to MS12-020 described above: The security rating is “critical”, which is the highest possible rating we have and the exploitability index is on “1 - Exploit code likely”. So, in this case we have a critical vulnerability and we expected a working exploit code to hit the net – unfortunately we have proven to be right.

This is in no means to criticize anybody, it is more to give you all the information to take the right decisions upfront. This update was definitely one you want to set extremely high on your priority list…

Roger