Actually, the tool included (which I will post here since it would be quite difficult to pull the code from the PDF) mitigates WS03 as well. Mathematically, there is a 1 in 4 billion chance someone could establish an RDP session, but applicably, no one ever would. Security in depth, and least privilege. It works :) t >-----Original Message----- >From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] >Sent: Tuesday, March 20, 2012 1:28 PM >To: Thor (Hammer of God); 'bugtraq@xxxxxxxxxxxxxxxxx' >Subject: RE: Regarding MS12-020 > >Gee, Tim - someone might think you had an axe to grind <ducks swinging >keyboard>... >I know; Thor has a hammer, but it still works (barely). > >One thing worth mentioning is that there is no mitigation for those who are >still stuck using WS03, since NLA doesn't exist prior to Vista. >Those deployments are also great examples of what happens when layer-8 is >the primary motivating factor in the security choices you make. > >Jim > >-----Original Message----- >From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >Sent: Tuesday, March 20, 2012 8:12 AM >To: 'bugtraq@xxxxxxxxxxxxxxxxx' >Subject: Regarding MS12-020 > >PoC code for MS12-020 (RDP) is obviously floating about, and many are still >worried about worm activity from this. > >One of my criticisms about this industry is that rarely is mitigation information >shared or discussed; people seem to concentrate on breaking and not >preventing exploitation. I wanted to point out that anyone who followed the >processes or techniques in my RDP chapter of Thor's Microsoft Security Bible >(or used the tool I wrote for RDP access) would have been automatically >protected from this vulnerability. That is not a point of ego, just a point of >fact. > >If you are concerned with RDP security, as you should be, you can read most >(if not all) of Chapter 7 for *free* using the Amazon "preview a page" feature. >If the RDP vulnerabilities have caused you any level of concern, then I suggest >you do. Like I said on the FD list, I'm far more concerned with making sure >people get the information they need (for free of course) than I am trying to >earn a buck - anyone who knows me knows I've always freely shared all >information in an effort to contribute to security. > >The first think I will tell you is to always use NLA (network level >authentication). It can be a very powerful way to obviate exploitability. The >rest of the information is all right there gratis for your viewing pleasure. > >If you are in a pinch and need help with any of this, I'll try my best to help if >you want to ping me offline. Thanks. >t > > >--------------------------- >Timothy "Thor" Mullen >www.hammerofgod.com > >There's no need to think outside the box if you don't think yourself into to >start with. > > >
