RE: Regarding MS12-020

["Thor \(Hammer of God\)" <thor () hammerofgod com>]

Actually, the tool included (which I will post here since it would be quite difficult to pull the code from the PDF) 
mitigates WS03 as well.  Mathematically, there is a 1 in 4 billion chance someone could establish an RDP session, but 
applicably,  no one ever would.  

Security in depth, and least privilege.  It works :)

t

> -----Original Message-----
> From: Jim Harrison [mailto:Jim () isatools org]
> Sent: Tuesday, March 20, 2012 1:28 PM
> To: Thor (Hammer of God); 'bugtraq () securityfocus com'
> Subject: RE: Regarding MS12-020
>
> Gee, Tim - someone might think you had an axe to grind <ducks swinging
> keyboard>...
> I know; Thor has a hammer, but it still works (barely).
>
> One thing worth mentioning is that there is no mitigation for those who are
> still stuck using WS03, since NLA doesn't exist prior to Vista.
> Those deployments are also great examples of what happens when layer-8 is
> the primary motivating factor in the security choices you make.
>
> Jim
>
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor () hammerofgod com]
> Sent: Tuesday, March 20, 2012 8:12 AM
> To: 'bugtraq () securityfocus com'
> Subject: Regarding MS12-020
>
> PoC code for MS12-020 (RDP) is obviously floating about, and many are still
> worried about worm activity from this.
>
> One of my criticisms about this industry is that rarely is mitigation information
> shared or discussed; people seem to concentrate on breaking and not
> preventing exploitation.  I wanted to point out that anyone who followed the
> processes or techniques in my RDP chapter of Thor's Microsoft Security Bible
> (or used the tool I wrote for RDP access) would have been automatically
> protected from this vulnerability.  That is not a point of ego, just a point of
> fact.
>
> If you are concerned with RDP security, as you should be, you can read most
> (if not all) of Chapter 7 for *free* using the Amazon "preview a page" feature.
> If the RDP vulnerabilities have caused you any level of concern, then I suggest
> you do.  Like I said on the FD list, I'm far more concerned with making sure
> people get the information they need (for free of course) than I am trying to
> earn a buck - anyone who knows me knows I've always freely shared all
> information in an effort to contribute to security.
>
> The first think I will tell you is to always use NLA (network level
> authentication).  It can be a very powerful way to obviate exploitability.  The
> rest of the information is all right there gratis for your viewing pleasure.
>
> If you are in a pinch and need help with any of this, I'll try my best to help if
> you want to ping me offline.   Thanks.
> t
>
>
> ---------------------------
> Timothy "Thor"  Mullen
> www.hammerofgod.com
>
> There's no need to think outside the box if you don't think yourself into to
> start with.