RDP, IE Security Fixes Top Microsoft Patch Tuesday7:32 PM EST Tue. Jun. 12, 2012
Fixes for Internet Explorer and Remote Desktop Protocol (RDP) headline this month’s edition of Microsoft's Patch Tuesday. The Redmond, Washington-based company has issued three bulletins listed as “critical” and four bulletins listed as “important” as channel partners and other IT leaders seek to make their infrastructure more secure as the number of worldwide attacks continues to escalate.
On the critical list, Bulletin MS12-036 resolves a privately reported vulnerability in the Remote Desktop Protocol that could allow remote code execution via malicious RDP packets sent to an infected system.
“The RDP one is a bit scary,” said Jason Miller, manager of research and development at VMware. “Attackers don't even need to know anything about your network. They just need you to have RDP enabled. The protocol is used by administrators for the virtualization of servers, remote management and other functions. So, RDP is probably going to be enabled on most of the machines on the network. This is an extremely important patch that deserves immediate attention.”
Bulletin MS12-037 is a critical update eliminating a vulnerability in Internet Explorer that could allow remote code delivered through a compromised website. An attacker who has successfully exploited any of these vulnerabilities could gain the same user rights as the current user.
“I think this vulnerability will be used in attacks sooner than any of the other ones on this list,” said Marc Maiffret, CTO of BeyondTrust. “This is actually a variety of different Internet Explorer vulnerabilities that impact all the versions of the browser. These are a lot more straightforward to actually exploit, so I think we'll see that used fairly quickly in the wild.”
Marcus Carey, security researcher at Rapid7, also puts the IE vulnerabilities at the top of his patch list due to the wide deployment of the Microsoft browser. “The Internet Explorer bulletin is definitely interesting because browser related exploits are by far the number one vehicle of attack from a criminal perspective and from an APT perspective,” he said. “Given the sheer number of desktops involved, I think it should be taken very seriously.”
The third critical bulletin, MS12-038, resolves a vulnerability to the Net Framework that could allow remote code execution on a client system via a compromised website if the user is running a web browser that can run XAML applications. The vulnerability could also be used by Windows Net applications to bypass code access security restrictions. In addition, malicious websites and websites that accept or host user-provided content or advertisements could contain malicious content that could exploit this vulnerability, as well.
NEXT: Here’s What’s “Important”
Among the bulletins listed as important, MS12-039 is intended to close vulnerabilities in Microsoft Lync that could allow remote code execution if a user views shared content that contains TrueType fonts that became embedded with malware.
“We've had some real serious problems over the last decade with TrueType fonts,” said Paul Henry, security and forensic analyst at Lumension. “It points to HTML issues in IE. So while Microsoft is calling it an important vulnerability, I think of this as a higher level priority because it impacts TrueType fonts as well as IE. It's not simply about the Lync communicator.”
“This was a vulnerability that Stuxnet and Duqu used,” said BeyondTrust’s Maiffret. “It had originally been patched in December but Microsoft actually reused the vulnerable TrueType parsing code, so there was another bulletin that Microsoft ended up releasing last month that basically fixed more products that reused that code. So this month, there's another vulnerability, seven months later, using the same vulnerability in Microsoft Lync. If your company is using Lync, then this is a very straightforward threat that needs to be patched.”
MS12-040 is aimed at a vulnerability in Microsoft Dynamics AX Enterprise Portal that could allow elevation of privilege if the user clicks on a malicious website. The patch enables Microsoft’s XSS Filter by default, as a means of closing the exposure.
“The fixes for Lync and AX are not going to run automatically through Windows update,” warned VMware’s Miller. “So you need to be aware that those patches are going to have to be manually located and downloaded. It's important that every month we look at how those patches are being distributed so that we don't miss something inadvertently.”
MS12-041 and MS12-042 both resolve Windows vulnerabilities that could allow elevation of privilege if an attacker logs onto a system and runs a malicious application. The attacker must have valid logon credentials and be able to logon locally to exploit these vulnerabilities.
NEXT: Another Flame Fix
One thing noticeably absent from the June Patch Tuesday lineup was an additional fix to support security against the Flame worm.
“When Microsoft investigated Flame, they found out that it was often looking like a legitimate Microsoft download,” said Wolfgang Kandek, CTO of Qualys. “The attackers had found a way to generate a digital signature using some pretty sophisticated technology. So Microsoft fixed that last week by removing the related certificates from the overall list of Microsoft certificates on every machine. That was the quickest thing for them to do. So right now, they're re-engineering the deliveries for Windows updates using a new signing certificate. The client who installs the downloads is going to be much pickier. It will have to be signed by one specific certificate, as opposed to just any Microsoft certificate. And, it will also scrutinize communication between itself and the site where it gets downloaded. We expect this update to be out within the next 30 days.”
Even though Flame is currently limited to specific cyberattacks, a number of security professionals are warning channel partners to nonetheless take this threat seriously. “The likelihood of getting Flame onto your system is virtually nil, unless you're dealing with one of the countries that are involved,” added VMware's Miller. “But copycat virus writers will definitely go after those modules, so this is going to need to be addressed this month. It’s going to be a goldmine for anyone trying to launch an attack against corporate resources.”