Microsoft issued six security bulletins, including one critical update that addresses two serious Windows Remote Desktop Protocol (RDP) vulnerabilities that could be exploited by an attacker to take complete control of a system or prevent it from working properly.
The fact that many people are running that and it’s available through the Internet; that’s actually kind of a scary one to me.
Marcus Carey, security researcher, Rapid7
The RDP flaws prompted warnings from vulnerability experts who said attackers would likely develop a worm to exploit the vulnerabilities. In all, Microsoft repaired seven vulnerabilities in its March 2012 Patch Tuesday release.
Microsoft Bulletin MS12-020, addresses the RDP issues and was given the highest deployment priority by the security giant. Microsoft RDP provides remote display and input capabilities over network connections for Windows-based applications running on a server. The flaws can be used by attackers to install malware and crash a Windows system or server. The update affects all Microsoft Windows operating systems and servers.
“RDP has a lot of implications. The fact that many people are running that and it’s available through the Internet; that’s actually kind of a scary one to me,” said Marcus Carey, security researcher at Rapid7. “This is wide open.”
Critical vulnerability CVE-2012-0002 could allow remote code execution through the RDP function, Microsoft said. An attacker could use a specially crafted sequence of packets to gain full access to the system. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said in its bulletin summary.
The denial of service vulnerability CVE-2012-0152 is rated moderate. It could allow a special packet sequence to cause the RDP to stop responding.
In addition to Rapid7, vulnerability management vendor Qualys and security giant Symantec classified the RDP flaws as dangerous and the most important of this month’s release.
Ben Greenbaum, senior principle software engineer for the Security Intelligence Group recommended paying very close attention to the critical Windows bulletin.
“Aside from patching this specific vulnerability, it’s never a bad idea to disable any unused or unneeded services, including the Remote Desktop service,” he said in a statement. Carey agreed, adding that organizations should restrict the number of authenticated users allowed on RDP at any given time, as well as appropriately deploying firewalls.
Kaspersky Lab senior security researcher Kurt Baumgartner said attackers have targeted Microsoft RDP in the past. A patch roll out to repair RDP-enabled systems should not be delayed, he said. In a blog post on Kaspersky Lab's SecureList, Baumgartner wrote that the Morto worm was used last year to attack businesses using brute force password guessing.
"It was spreading mainly because of extremely weak and poor password selection for administrative accounts," Baumgartner wrote. "The Morto worm incident brought attention to poorly secured RDP services. Accordingly, this Remote Desktop vulnerability must be patched immediately."
The good news is that RDP is not enabled in Windows by default. Additionally, if Network Level Authentication is enabled, the attacker would be required to be authenticated to the RD Session Host server to gain access.
According to Microsoft’s Trustworthy Computing blog, the vendor is offering to help mitigate patching for this bulletin.
“To provide for a bit of scheduling flexibility, we’re offering a one-click, no-reboot Fix it that enables Network-Level Authentication, an effective mitigation for this issue,” wrote Angela Gunn, a spokesperson for Microsoft’s Trustworthy Computing Group.
In addition, five other vulnerabilities were also addressed by Microsoft. Bulletins MS12-017 and MS12-018 are rated “important” and address a vulnerability in the DNS server and the Windows Kernel-Mode Drivers, respectively.
MS12-017 deals with vulnerability CVE-2012-0006 and affect Windows servers 2003, 2008 and 2008 R2. This vulnerability could allow an attacker to send a DNS query to a targeted server, causing it to stop responding and automatically restart.
MS12-018 addresses CVE-2012-0157, a privilege elevation vulnerability in all releases of Microsoft Windows. The Security Bulletin Summary warns that an attacker who logs on “could run arbitrary code in kernel mode and take complete control” of the system. Workstations and terminal servers would be primarily at risk of this exploit.
These first three bulletins mentioned will require a restart.
Visual Studio bulletin MS12-021 could allow for elevation of privilege in all supported versions of the program, but the attack is complex. The attacker would need valid login credentials and to log in locally. Then he/she would have to convince a user with high privilege to open Visual Studio after inserting an add-in in the path. The add-in would then load with the same administrative privilege and allow the attacker to access the system.
MS12-022 addresses CV-2012-016, a vulnerability in all released versions of Expression Design that could allow for a DLL file to be opened with a legitimate Expression Design file. All code contained in the DLL file would then be run. The update corrects the manner in which Expression Design loads external libraries.
MS12-019 is the only “moderate” bulletin in this month’s release. It addresses a vulnerability in Windows DirectWrite that could allow denial of service if a specially crafted sequence of Unicode characters are sent to an instant messenger client. This vulnerability appears to have been introduced with Windows Vista, as it only applies to Windows Vista and 7.
These final three bulletins may require a restart.
This month’s release is light compared to the February 2012 Patch Tuesday, when Microsoft released nine bulletins addressing 21 vulnerabilities.