Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, March 2012: Beware the RDP's of March


In Back to the Future Part 2, the bad next-door neighbor kid gets hold of an almanac from the future when his future self takes the Delorean back in time and gives it to him. I don't know about you, but if I ever see a Delorean parked out front, I'm putting NVD on a stack of Zip Disks and heading back to meet my 2001 self.

MS12-020 would be somewhere near the top of the stack. It's this month's top-priority bulletin and involves unauthenticated Remote Code Execution on XP and newer systems running Remote Desktop Protocol (RDP). I'm not sure it would work in 2001 -- only the still-supported Windows XP SP3 is listed as vulnerable -- but it would be worth a shot. Then, of course, I would tell everyone about it really quickly via "net send" no doubt, after I turned their listeners on. It's just that important.

Otherwise, there are 4 Important updates and 1 Moderate, including another Remote Code Execution issue, some Privilege Escalation, and a Remote Denial-of-Service. Thanks to Space Rogue for helping out with this month's update.

MS12-020 / KB2671387

Vulnerabilities in Remote Desktop Could Allow Remote Code Execution


Remote Desktop Protocol Vulnerability, CVE-2012-0002

This first CVE is the one we primarily need to worry about here. Time travel jokes aside, it's scary to think this has been hanging around for very long, but it appears to affect RDP across both server and desktop operating systems, including XP and 2003. Those of you that rely solely on RDP for remote administration, without requiring VPN access, should patch immediately or find another way to handle remote access. If TCP port 3389 is exposed to the Internet, you should really do something about this, like, this afternoon, or at least before dinner. Because getting hacked is bad for digestion.

The only upside here is that there are no known exploits in the wild. This is being done via coordinated disclosure, thankfully, but no doubt there's some serious IDA Pro and Bindiff going on against that patch. Several Intrusion Detection System vendors, Trustwave included, are releasing detection logic to coincide with this release.

Terminal Server Denial of Service Vulnerability, CVE-2012-0152

Similarly, this vulnerability involves sending a sequence of specially crafted packets to the RDP service, but in this case the attacker simply takes down the service. This issue does not appear to take down the whole system, it just knocks the RDP service offline. Actually this one could be the same basic vulnerability as above, just without getting executable code onto the stack.

MS12-017 / KB2647170

Vulnerability in DNS Server Could Allow Denial of Service


DNS Denial of Service Vulnerability, CVE-2012-0006

If you're running DNS on various flavors of Windows Server 2003 or 2008 you will want to apply this update. Without it an attacker can send you a specially crafted DNS query that could crash the DNS service and force it to restart. Repeating the attack could cause a DNS denial of service, which obviously wouldn't be good. Microsoft hasn't seen this in the wild yet at all but that's no reason to slack off and delay updating.

Note: You won't see this update in Microsoft's Auto Update Service unless the server actually has DNS enabled.

MS12-018 / KB2641653

Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege


PostMessage Function Vulnerability, CVE-2012-0157

Privilege escalation can always be nasty and it's the same here, any local authorized user could exploit this vulnerability to run arbitrary code in kernel mode. Of course once you have that capability you can do all sorts of nasty things including creating new accounts with full admin rights. This one affects just about everything from XP SP3 up to Server 2008 R2, even on Itanium. The vulnerability lives in the kernel mode driver win32k.sys, which does everything from managing keyboard input to controlling window displays.

While Microsoft has not seen this being actively exploited in the wild, the insider threat is often underestimated and this is a perfect example of the damage that a trusted employee could do.

MS12-019 / KB2665364

Vulnerability in DirectWrite Could Allow Denial of Service


DirectWrite Application Denial of Service Vulnerability, CVE-2012-0156

This vulnerability is only listed as "moderate" but it's still pretty interesting. One of the DirectX APIs is DirectWrite, a rendering engine used to output high quality text, resolution-independent outline fonts, Unicode text, and other things. This vulnerability could allow an attacker to crash an application such as Windows Live Messenger or even Windows Internet Explorer 9 if the attacker can get the application to attempt to render a specially crafted sequence of Unicode characters. An attacker could do this with a standard phishing email containing a link to web page with the characters or by sending an Instant message with the characters. According to Microsoft this doesn't do anything except crash the application, and it hasn't been seen in the wild yet. But it may be only a hop, skip, and a jump before someone turns this into something more nefarious, so install the patch before they do.

MS12-021 / KB2651019

Vulnerability in Visual Studio Could Allow Elevation of Privilege


CVE-2012-0008, Visual Studio Add-In Vulnerability

Similar to the Insecure Library Loading vulnerability below, but affecting Visual Studio 2008/2010, and without the pajamagrams. The issue is that a local user can sneak an "Add-In" into the path Visual Studio uses. When VS is run by a local admin, that code is also run automatically with admin privileges. To fix, the patch fixes some decision-making about where Add-Ins can be loaded.

The details on this one are a bit hazy because it's not being seen in the wild, but it's worth updating, especially on multi-user machines where Visual Studio is loaded.

MS12-022 / KB2651018

Vulnerability in Expression Design Could Allow Remote Code Execution


CVE-2012-0016, Expression Design Insecure Library Loading Vulnerability

It's another DLL Injection scenario, we seem to be getting these regularly on Patch Tuesday. This one affects all versions (1-4) of Microsoft Expression Design, an illustration program. It's tough to decide whether to re-explain Insecure Library Loading each time, so when in doubt I usually write haiku:

Path to DLL

Not specific by default

CWD beckons

And for completeness, the above converted to Japanese, to Korean, and back:

The path of the DLL, by default, is not unique motioned for pajamagrams.

Yeah, that pretty much says it all.

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More