Patch Tuesday: Microsoft Issues Critical Remote Desktop, IE Update


Microsoft has repaired critical vulnerabilities in Internet Explorer and its Windows Remote Desktop Client, fixing remote code execution flaws that can be used to gain access to sensitive data.

The software giant issued nine bulletins, two critical, in its April 2013 Patch Tuesday round of security updates. The repairs address both client- and server-side vulnerabilities, fixing issues in Windows, Windows Defender antimalware software and SharePoint Server.

Microsoft repaired two critical remote code execution vulnerabilities in Internet Explorer that could be used by an attacker in drive-by attacks. The issues impact all versions of Internet Explorer, including Internet Explorer 10 on Surface tablets. "Both of these issues were privately disclosed and we have not detected any attacks or customer impact," Microsoft said.

[Related: 5 Signs Enterprise Software Security Is Improving]

Security experts are still waiting for a security update that fixes vulnerabilities exploited at the HP-TippingPoint Pwn2Own hacking contest in March at the CanSecWest conference.

The company also addressed a critical ActiveX flaw Windows Remote Desktop Client that an attacker could use to gain access to a system. The issue is rated critical for Remote Desktop Connection 6.1 Client and Remote Desktop Connection 7.0 running on Windows XP, Windows Vista and Windows 7. The update is rated moderate for the software running on Windows Server.

Microsoft indicated that an exploit attacking the flaw is likely. Rather than disabling the RDP control through a kill-bit, Microsoft has decided to fix it, according to Ross Barrett, senior manager of security engineering at vulnerability management vendor Rapid7. Barrett said the version is not impacted on version 8 of the client, but version 8 is not the default on most Windows systems.

The company also issued an "important" update for a vulnerability in SharePoint Server, addressing an issue that could be used by an attacker to gain access to the SharePoint site. The issue was publicly disclosed, Microsoft said. An attacker would need to be able to satisfy the site's authentication requests and determine the location of a specific SharePoint list to conduct a successful attack.

In addition, Microsoft addressed errors that could be used by Windows users to elevate privileges or cause a system to crash. The errors included a flaw in the Windows Kernel that could give a user with valid credentials elevated privileges, an issue with Active Directory that an attacker could use to cause it to crash and a vulnerability in Microsoft Antimalware Client that could be used to elevate privileges.

Microsoft also announced that support for Windows XP users will end next year. Microsoft said due to its age, Windows XP has higher malware infection rates than other Windows versions.

Once Microsoft pulls the plug on support for Windows XP SP3, "users will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates," wrote Tim Raines director of product management for Microsoft's Trustworthy Computing group. "Moving forward, this will likely make it easier for attackers to successfully compromise Windows XP-based systems using exploits for unpatched vulnerabilities."

PUBLISHED APRIL 9, 2013