Why it’s a good idea to keep on top of Windows Updates

By November 5, 2012 Technical

Our IDS has proven itself to be extremely valuable several times so far, we thought we’d share something interesting that it picked up.

What’s an IDS?

In case you’ve not come across the term “IDS” before, and seeing as we haven’t mentioned it previously, we’ll go over that first.

An Intrusion Detection System, or IDS for short, is a system that sits on a network and compares packets to a set of rules. These rules contain signatures, which are patterns that are defined to detect malicious and potentially dangerous network activity.

When our IDS detects something, it will write a line to a log file that we monitor. It does NOT capture and keep data.

We wont go into further detail about our IDS at this stage; maybe later 😉

Why you should update

But enough about the IDS, and onto what it found.

We detect millions of potentially malicious packets on a daily basis. These are your common RDP, SSH, FTP, etc. brute force attacks that numbly go through different combinations of usernames and passwords. Once in a while an alert will pop up that catches my attention.

This one was something that very much tickled my fancy (some details are redacted for anonymity):

10/xx/2012-xx:xx:xx.xxxx  [**] [1:2014383:2] ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:63339 -> xxx.xxx.xxx.xxx:3389

This particular signature relates to the vulnerability discovered earlier this year in the Remote Desktop Protocol. It was identified as CVE-2012-0002 and MS12-020.

The flaw itself was caused by the way Windows handled a certain part of an RDP packet in memory. This could result in one of two things, depending on which version of Windows you’re running:

  • A blue screen of death
  • Remote code execution

This particular exploit was patched by Microsoft with an out of band update. If you’re a Windows customer with us you would have received notification that we were scheduling some emergency downtime to get it patched immediately.

While the exploit is several months old, many users and admins don’t keep their systems patched, leaving themselves vulnerable. That’s why you still see it roaming in the wild instead of dying out quickly (as it should).

Of course this machine had been patched straight away so the exploit attempt was ineffective. Our IDS was watching and caught it in the act, and we banhammered the offending IP with great prejudice.

Some fun extra reading

If you’re interested in some more of the details, these pages provide good coverage.

Leave a Reply

This is Steve. One of the awesomely brilliant (and well-bearded) Anchorites.

Hosting and AWS management, support and advice from the Ops team behind GitHub.

And if you're on a DevOps journey, talk to us about getting a cloud infrastructure expert assigned to your Agile team.

Call us on +61 2 8296 5111 or send a note:

Name

Email

Your Message

Free AWS Management?
Awesome! Be quick -
offer ends July 31, 2016!



We're giving away free managed services
to the first 10 customers to sign up for
AWS Cloud Ops Lite this July.

You'll save more than USD$2500
in the first year alone!

Want to know more?

No, I don't want free managed services.