Tag Archives: hacked

Microsoft, Tech

Microsoft announces 7 bulletins for May 2012 Patch Tuesday, closes book on MAPP data leak

In addition to its advance notification for Patch Tuesday, Microsoft uncovers the party responsible for leaking security information and exposing customers to attacks against RDP

Just hours after releasing the advance notification for May’s Patch Tuesday release, which consists of seven bulletins, Microsoft brought some closure to its biggest security threat of the year.

RELATED: Microsoft’s MAPP reportedly hacked, RDP exploits coming sooner than expected
MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training
at certkingdom.com
In a post on its TechNet blog, Microsoft blamed March’s information leak in the Microsoft Active Protections Program (MAPP) that led to several threats against a Remote Desktop Protocol (RDP) vulnerability on Chinese partner company Hangzhou DPTech Technologies.

“During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA),” Yunsun Wee, director of Microsoft Trustworthy Computing, wrote in the blog post. “Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program.”

The breach, which came at the hands of hackers in China, granted the cybercrime community access to information to attack the RDP vulnerability before Microsoft customers were given the information needed to patch it. Wee added that Microsoft “took actions to better protect our information,” while senior program manager Maarten Van Horenbeeck provided more visibility into the inner workings of MAPP.

Given the relatively light load of security bulletins, Microsoft chose an opportune time to close the book on March’s security scare. Three of the seven bulletins were rated critical, the most interesting of which was Bulletin 1’s critical patch for Office, Qualys CTO Wolfgang Kandek says.

Threats against Office typically require the user to open a file containing a malicious program, Kandek says. Microsoft has traditionally been more prone to issue the “important” rating to threats that involve user interaction, he added, making this month’s critical bulletin “kind of interesting.”

Marcus Carey, security researcher at Rapid7, speculated that the Office vulnerability patched with Bulletin 1 “is an underlying issue on how it processes data.” Citing the recent phishing attacks against Mac systems, Carey says threats coming through Microsoft productivity software are “becoming a recurring theme for organizations and end users because it’s primed for phishing attacks.”

Beyond that, the remaining two critical patches will attract the most attention, primarily because they address vulnerabilities in Windows versions XP through 7, Carey says.

“This means that all organizations and the entire user base will be affected by these critical bulletins,” Carey says.

The other four bulletins were all rated important. Bulletins 4 and 5 address remote code execution vulnerabilities in Office, while bulletins 6 and 7 address elevation of privilege in Windows Vista and Windows 7.

With seven bulletins in April, Microsoft’s total bulletins for 2012 rises to 35, compared to the 36 issued by the same point last year. Interestingly, Microsoft’s release schedule has been far more consistent than in years past. From January through May 2012, the total number of Patch Tuesday bulletins issued in a single month has dipped as low as six and risen only as high as nine. In the same period last year, those totals ranged from two in both January and May to 12 in February and 17 in April.

This trend shows a sign of stability in Microsoft research and makes the jobs of systems administrators much easier, Kandek says.

“I’m not sure how they do this internally in terms of planning, but it seems to me going to a more steady stream is a sign of maturity, and from my systems administration perspective I prefer that than every two months getting something bigger,” Kandek says. “I personally prefer a steady stream coming out. I can deal with that better, rather than things where suddenly my capacity is stretched more.”

Andrew Storms, director of security operations for nCircle, also took note of Microsoft’s continued move away from the “feast and famine” approach of last year. However, the number of bulletins is less relevant than the number of common vulnerabilities and exposures (CVEs), Storms says, and the security community should put more focus on Microsoft’s increase in that area this year.

“Bulletin numbers don’t tell the whole patch story,” Storms says. “CVEs correspond to the number of bugs fixed, and this year Microsoft is on a CVE streak. With the 23 CVEs in May’s patch, Microsoft’s CVE count has already reached 70 for 2012. This time last year Microsoft issued just 59 CVEs.”

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training
at certkingdom.com

Microsoft, Tech

Microsoft’s MAPP reportedly hacked, RDP exploits coming sooner than expected

Microsoft’s early patch information distribution system appears to have been hacked, giving attackers a jumpstart at building a worm.

When Microsoft’s Patch Tuesday release earlier this week revealed a code execution vulnerability for Remote Desktop Protocol (RDP), we knew it wasn’t a good sign. We didn’t expect the situation to get this dangerous so quickly, however, and neither did Microsoft.
MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com
RELATED: Microsoft incites madness with March’s Patch Tuesday release

Details continue to surface surrounding the RDP exploit, including allegations that the Microsoft Active Protections Program (MAPP), which provides security vendors patch information ahead of its actual release, has been compromised. According to ZDNet blogger Ryan Naraine, several sources claim that the MAPP was breached by hackers in China. Among those making the accusations is security researcher Luigi Auriemma, whom Microsoft credited with discovering the RDP vulnerability in the first place.

RELATED: Don’t Wait on This Patch, Microsoft says

One undisclosed security researcher who spoke to Naraine says he “can say with 100% certainty that MAPP information got into the wrong hands,” a claim that Auriemma supported “with no doubt whatsoever,” Narraine wrote.

Auriemma, in a separate statement emailed to SC Magazine, offers even scarier information for those that are late in making the patch. Two early exploits have been proven to cause the infamous blue screen of death on targeted Windows XP and Server 2003 devices, Auriemma told SC Magazine.

Symantec has since confirmed reports of a Proof of Concept (PoC) for a denial of service attack through the exploit Microsoft tried to patch on Tuesday.

Hackers with access to the MAPP would be able to build and distribute attacks more quickly than their potential targets could protect themselves. Even though Microsoft, and every security researcher I spoke to, urged those running RDP to deploy the patch immediately, “if not sooner,” Microsoft researchers had initially warned in a company blog post that they “anticipate that an exploit for code execution will be developed in the next 30 days.”

Now, some may be wishing for that 30 days.

“The threat level with MS12 -020 is rising rapidly,” Lamar Bailey, director of security research and development for nCircle, says. “Over the weekend attackers will be adding malicious payloads to the exploit code Symantec found and we’ll see that in the wild by Monday, if not sooner. Within a week we’ll see multiple malicious payloads, and it will definitely become a worm.”

Meanwhile, hackers are wasting little time trying to establish a more severe threat, with this financially incentivized request for “a working exploit for CVE-2012-0002 (the new RDP hole) as a Metasploit module” posted on web developer project networking site Gun.io.

If Microsoft’s emphasis of the exploit earlier in the week didn’t grab the attention of enterprise IT, these reports will, especially with the risk level rising as quickly as it is, Bailey says. And it could make for a long St. Patrick’s Day weekend.

“Patch it now or pay later,” Bailey says. “This should be at the top of every enterprise security team’s list every day until their entire network is completely patched.”