Microsoft issued six security bulletins, including one critical update that addresses two serious Windows Remote Desktop Protocol (RDP) vulnerabilities which may be exploited by an attacker to take complete control of a system or prevent it from working properly.
The proven fact that many folks are running that and it's available throughout the Internet; that's actually variety of a scary one to me.
Marcus Carey, security researcher, Rapid7
In all, Microsoft repaired seven vulnerabilities in its March 2012 Patch Tuesday release.Â
Microsoft Bulletin MS12-020, addresses the RDP issues and was given the top deployment priority by the safety giant. Microsoft RDP provides remote display and input capabilities over network connections for Windows-based applications running on a server. Â The flaws may be used by attackers to put in malware and crash a Windows system or server. The update affects all Microsoft Windows operating systems and servers.
“RDP has numerous implications. The indisputable fact that lots of people are running that and it's available in the course of the Internet; that's actually sort of a scary one to me,†said Marcus Carey, security researcher at Rapid7. “This is wide open.â€
Critical vulnerability CVE-2012-0002 could allow remote code execution in the course of the RDP function, Microsoft said. An attacker could use a specially crafted sequence of packets to realize full access to the system. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,†Microsoft said in its bulletin summary.
The denial of service vulnerability CVE-2012-0152 is rated moderate. It may well allow a unique packet sequence to cause the RDP to prevent responding.
In addition to Rapid7, vulnerability management vendor Qualys and security giant Symantec classified the RDP flaws as dangerous and the largest of this month's release.
Ben Greenbaum, senior principle software engineer for the safety Intelligence Group recommended paying very close attention to the critical Windows bulletin.
“Aside from patching this specific vulnerability, it's never a foul idea to disable any unused or unneeded services, including the Remote Desktop service,†he said in an announcement. Carey agreed, adding that organizations should restrict the choice of authenticated users allowed on RDP at any given time, in addition to appropriately deploying firewalls.
Kaspersky Lab senior security researcher Kurt Baumgartner said attackers have targeted Microsoft RDP during the past. A patch roll out to fix RDP-enabled systems shouldn't be delayed, he said. In a blog post on Kaspersky Lab's SecureList, Baumgartner wrote that the Morto worm was used last year to attack businesses using brute force password guessing.
"It was spreading mainly with the aid of extremely weak and poor password selection for administrative accounts," Baumgartner wrote. "The Morto worm incident brought attention to poorly secured RDP services. Accordingly, this Remote Desktop vulnerability should be patched immediately."
The excellent news is that RDP shouldn't be enabled in Windows by default. Additionally, if Network Level Authentication is enabled, the attacker could be required to be authenticated to the RD Session Host server to realize access.
According to Microsoft's Trustworthy Computing blog, the seller is offering to assist mitigate patching for this bulletin.
“To provide for just a little scheduling flexibility, we're offering a one-click, no-reboot Fix it that permits Network-Level Authentication, a fantastic mitigation for this issue,†wrote Angela Gunn, a spokesperson for Microsoft's Trustworthy Computing Group.
In addition, five other vulnerabilities were also addressed by Microsoft. Bulletins MS12-017 and MS12-018 are rated “important†and address a vulnerability inside the DNS server and the Windows Kernel-Mode Drivers, respectively.
MS12-017 deals with vulnerability CVE-2012-0006 and affect Windows servers 2003, 2008 and 2008 R2. This vulnerability could allow an attacker to send a DNS query to a targeted server, causing it to forestall responding and automatically restart.
MS12-018 addresses CVE-2012-0157, a privilege elevation vulnerability in all releases of Microsoft Windows. The Security Bulletin Summary warns that an attacker who logs on “could run arbitrary code in kernel mode and take complete control†of the system. Workstations and terminal servers will be primarily prone to this exploit.
These first three bulletins mentioned would require a restart.
Visual Studio bulletin MS12-021 could allow for elevation of privilege in all supported versions of this system, but the attack is complex. The attacker would want valid login credentials and to log in locally. Then he/she would need to convince a user with high privilege to open Visual Studio after inserting an add-in within the path. The add-in would then load with the identical administrative privilege and permit the attacker to access the system.
MS12-022 addresses CV-2012-016, a vulnerability in all released versions of Expression Design which could allow for a DLL file to be opened with a valid Expression Design file. All code inside the DLL file would then be run. The update corrects the way wherein Expression Design loads external libraries.
MS12-019 is the best “moderate†bulletin on this month's release. It addresses a vulnerability in Windows DirectWrite that may allow denial of service if a specially crafted sequence of Unicode characters are sent to an instant messenger client. This vulnerability appears to were introduced with Windows Vista, because it only applies to Windows Vista and seven.
These final three bulletins may require a restart.
This month's release is light when compared with the February 2012 Patch Tuesday, when Microsoft released nine bulletins addressing 21 vulnerabilities.
Nessun commento:
Posta un commento
Comments links could be nofollow free