Microsoft Patch Tuesday: RDP - Keep on Knockin' But You Can't Come In

Another month, another Patch Tuesday. This one has seven bulletins three of which are rated critical covering a couple of dozen CVEs. Microsoft thinks that exploit code will eventually be written for most of them as well. Of course if you have Auto Update turned on you should be covered, if you don't plan to apply these patches as soon as you can.

MS12-036/KB2685939

Critical

Remote Desktop Protocol Vulnerability

CVE-2012-0173

RDP seems to be getting hit quite a bit lately, which is understandable, once you have one big vulnerability in a service a lot of people tend to look at it and then find even more. Ever since MS12-020 a lot of people have been knocking on RDPs door. It is an attractive target and one that many people leave unsecured for convenience. This vulnerability will cause a denial of service and in some cases even remote code execution if RDP receives a specially crafted packet. This patch modifies the way RDP processes packets in memory, which addresses the vulnerability. Microsoft thinks that exploit code for this one is likely and because of that it is rated as critical. This update will be offered to systems even if they do not have RDP enabled but it will not be offered to older systems such as XP SP2 or Server 2003 SP1. So if you are running RDP on something old(ish) you will want to make sure you have RDP disabled. You should also look into blocking port 3389 on your firewall which will help prevent attacks from the Internet.

MS12-037/KB2699988

Critical

Cumulative Security Update for Internet Explorer

CVE2012-1523 CVE2012-1858 CVE2012-1872 CVE2012-1873 CVE2012-1874
CVE2012-1880 CVE2012-1881 CVE2012-1882

Wow, look at all those CVE numbers! This cumulative update really packs them in, fixing not one, not two, but thirteen different vulnerabilities. The worst of which could allow remote code execution if a user views a specially crafted webpage. The attack only gets the system privileges of the locally logged in user but if that user happens to be an administrator, well, game over. The various vulnerabilities affect all versions from IE 6 up to and including IE 9. The fixes here involve everything from the way that Internet Explorer handles objects in memory, HTML sanitization using toStaticHTML, the way that Internet Explorer renders data during certain processes, and the way that Internet Explorer creates and initializes strings.

MS12-038/KB2706726

Critical

Remote Code Execution in .NET

CVE2012-1855

This one looks particularly nasty. If you have certain versions of the .NET framework installed the improper execution of a function pointer could allow an attacker to execute code remotely. This means that any web page, or advertisement, or any site that can host user-provided content could potentially take advantage of this vulnerability. This issue does not affect IE on Server 2003, 2008 and 2008 R2 since those versions already run under an Enhanced Security Configuration, which should protect you in this case. If you can't apply this patch for whatever reason you will want to disable XAML browser applications. The settings are in the Internet Options on the Security tab. You will want to disable Loose XAML, XAML Browser Applications and XPS documents. You will also want to only run components signed with Authenticode. Don't forget to change the setting under Local Intranet as well.

MS12-039/KB2707956

Important

Remote Code Execution in Lync

CVE2011-3402 CVE2012-0159 CVE2012-1849 CVE2012-1858

You might notice that one of those CVE numbers starts with 2011 and think, whoa, this has been around since last year? That may or may not be the case, CVE numbers are often reserved while a researcher actively works on a potential vulnerability and it may take them some time to complete the research so the fact that the CVE number is little dated should not be a big concern.

Once again we have the potential for remote code execution this time centered on how Microsoft Lync handles True Type fonts. If you haven't heard of Lync its Microsoft's corporate messaging system, think Skype but as a part of Microsoft Office. (Wait, didn't Microsoft buy Skype?) Lync has issues with loading external libraries which a specially crafted True Type font can take advantage of. This one is very similar to MS12-037 listed above but for Lync instead of IE.

MS12-040/KB2709100

Important

MS Dynamics AX Enterprise Portal Elevation of Privilege

CVE2012-1857

This one deals with the Microsoft ERP solution Dynamics AX - specifically the Enterprise Portal. Security researchers found an instance of XSS in a portion of the portal, which is made more serious by the fact that Internet Explorer 8 & 9 will let down their XSS countermeasures when interacting with this product. This happens due to the default settings for the "Intranet Zone", which disable a number of countermeasures in favor of compatibility. Dumb stupid Intranets.

The patch resolves this flaw in Dynamics by properly sanitizing user input, preventing XSS social engineering attacks via common vectors such as malicious email and websites.

MS12-041/KB2709162

Important

Kernel-Mode Drivers allow Elevation Privilege

CVE2012-1864 CVE2012-1865 CVE2012-1866

This update covers five vulnerabilities covered by three CVE's all of which result in the possibility of an elevation of privilege if exploited by a locally logged in user. The problems are in how Windows kernel-mode drivers (specifically win32k.sys) validate input passed from user mode and handle TrueType font loading, and by introducing additional runtime validation to the thread creation mechanism. Microsoft hasn't seen any of these vulnerabilities being exploited in the wild, yet, but they expect to.

MS12-042/KB2711167

Important

Windows Kernel Elevation Privilege

CVE2012-0217 CVE2012-1515

MS12-041 is a two-fer fixing two CVEs with just one update. In both cases the end result is an elevation of privilege, so any user who has local access to a system could run a specially crafted application and get System Administrator privileges, which basically mean they own the box and can do anything they want. The issues lie with the Windows User Mode Scheduler and in the way that Windows manages the BIOS ROM. The BIOS vulnerability only effects XP SP3 and Server 2003 SP2 while the Scheduler vulnerability only impacts x64 versions of Win7 and Sever 2008 R2 on Intel, so if you are running on 32-bit CPUs, you're safe from this one. Microsoft says that it hasn't seen either of these vulnerabilities being exploited in the wild, yet, but they do expect that exploit code will be written for them.

That's it for this month. Not to bad comparatively speaking. We will be back next month with another analysis.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.