Proof-of-concept RDP vulnerability code discovered. Patch Windows now

Filed Under: Featured, Malware, Microsoft, Vulnerability

Alert. Image from ShutterstockSophosLabs has seen proof-of-concept code on Chinese websites which tries to exploit the recently announced Microsoft RDP vulnerability, causing computers to crash.

The critical vulnerability exists in Windows, and could be exploited to spread a worm automatically between vulnerable computers.

The advice from Microsoft and Sophos is to patch your copies of Windows as soon as possible, and Microsoft warned earlier this week that it expected malicious hackers to exploit the flaw within 30 days.

Well, that's already happening. The code we've seen - in the form of Python scripts - attempts to exploit the MS12-020 RDP vulnerability and causes Windows computers to blue screen. It wouldn't be a surprise if whoever is writing this code to further develop the attacks to produce a fast-spreading internet worm.

As a result, Windows users should consider themselves on high alert and harden their defences. Microsoft has discussed the patch, and other ways to mitigate the threat, in a blog post.

Sophos is adding detection of the script we have seen as Troj/PyRDP-A.

Fake exploits for the Microsoft RDP vulnerability

Meanwhile, we have also seen what claims to be the Python script of a worm that exploits the RDP exploit.

Fake worm for exploiting Microsoft RDP flaw

The script, however, appears to be a hoax. It references a Python module that doesn't exist (FreeRDP), and claims to be written by, an obvious reference to the high profile Anonymous hacker who was recently revealed to have been secretly working for the FBI for months.

The code doesn't exploit the MS12-020 vulnerability.

Of course, if anyone is any doubt, there's about as much chance of that script being written by Sabu (real name Hector Xavier Monsegur) as I have of being named the next "Doctor Who".

Okay, stop being amused by that and patch your Windows computers now against the RDP vulnerabilty.


Image of alert sign courtesy of Shutterstock.

, , , , , , ,

You might like

7 Responses to Proof-of-concept RDP vulnerability code discovered. Patch Windows now

  1. Tim · 1301 days ago

    Not to be pedantic, but you may wish to amend "Of course, if anyone is any doubt" to
    "Of course, if anyone is in any doubt"

  2. Scott · 1301 days ago

    I have RDP ports blocked on all my routers and firewalls and have the service disabled on all my machines. I've never trusted that service and have been waiting for a zero day. If I absolutely need to transfer some files I'll use SSH. That's what they make laptops for - so I don't have to dial in at home to "pick up that one file I forgot".

  3. zdnet's article says Microsoft has "implement measures to identify potential leaks" as I assume Sophos is part of the MAPP do you all have any thorght on if we're going to see some company booted off the program soon?

  4. Nigel · 1301 days ago

    It now appears that the Chinese proof-of-concept is the direct result of a leak, either at Microsoft or TippingPoint ZDI (Zero Day Initiative), according to Luigi Ariemma, the security researcher credited by Microsoft with finding and reporting the RDP code execution vulnerability.


  5. Moto · 1301 days ago

    Anyone have the IDE name for Troj/PyRDP-A?

  6. mason · 1298 days ago

    Recently had a bluescreen, not sure if related to the exploit.

  7. Elle Woods, Esq. · 1296 days ago

    Me too, Mason. Funnily enough, while trying to stream reruns of Dr. Who.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley