CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday: RDP - Keep on Knockin' But You Can't Come In

Another month, another Patch Tuesday. This one has seven bulletins three of which are rated critical covering a couple of dozen CVEs. Microsoft thinks that exploit code will eventually be written for most of them as well. Of course if you have Auto Update turned on you should be covered, if you don't plan to apply these patches as soon as you can.



Remote Desktop Protocol Vulnerability


RDP seems to be getting hit quite a bit lately, which is understandable, once you have one big vulnerability in a service a lot of people tend to look at it and then find even more. Ever since MS12-020 a lot of people have been knocking on RDPs door. It is an attractive target and one that many people leave unsecured for convenience. This vulnerability will cause a denial of service and in some cases even remote code execution if RDP receives a specially crafted packet. This patch modifies the way RDP processes packets in memory, which addresses the vulnerability. Microsoft thinks that exploit code for this one is likely and because of that it is rated as critical. This update will be offered to systems even if they do not have RDP enabled but it will not be offered to older systems such as XP SP2 or Server 2003 SP1. So if you are running RDP on something old(ish) you will want to make sure you have RDP disabled. You should also look into blocking port 3389 on your firewall which will help prevent attacks from the Internet.



Cumulative Security Update for Internet Explorer

CVE2012-1523 CVE2012-1858 CVE2012-1872 CVE2012-1873 CVE2012-1874
CVE2012-1880 CVE2012-1881 CVE2012-1882

Wow, look at all those CVE numbers! This cumulative update really packs them in, fixing not one, not two, but thirteen different vulnerabilities. The worst of which could allow remote code execution if a user views a specially crafted webpage. The attack only gets the system privileges of the locally logged in user but if that user happens to be an administrator, well, game over. The various vulnerabilities affect all versions from IE 6 up to and including IE 9. The fixes here involve everything from the way that Internet Explorer handles objects in memory, HTML sanitization using toStaticHTML, the way that Internet Explorer renders data during certain processes, and the way that Internet Explorer creates and initializes strings.



Remote Code Execution in .NET


This one looks particularly nasty. If you have certain versions of the .NET framework installed the improper execution of a function pointer could allow an attacker to execute code remotely. This means that any web page, or advertisement, or any site that can host user-provided content could potentially take advantage of this vulnerability. This issue does not affect IE on Server 2003, 2008 and 2008 R2 since those versions already run under an Enhanced Security Configuration, which should protect you in this case. If you can't apply this patch for whatever reason you will want to disable XAML browser applications. The settings are in the Internet Options on the Security tab. You will want to disable Loose XAML, XAML Browser Applications and XPS documents. You will also want to only run components signed with Authenticode. Don't forget to change the setting under Local Intranet as well.



Remote Code Execution in Lync

CVE2011-3402 CVE2012-0159 CVE2012-1849 CVE2012-1858

You might notice that one of those CVE numbers starts with 2011 and think, whoa, this has been around since last year? That may or may not be the case, CVE numbers are often reserved while a researcher actively works on a potential vulnerability and it may take them some time to complete the research so the fact that the CVE number is little dated should not be a big concern.

Once again we have the potential for remote code execution this time centered on how Microsoft Lync handles True Type fonts. If you haven't heard of Lync its Microsoft's corporate messaging system, think Skype but as a part of Microsoft Office. (Wait, didn't Microsoft buy Skype?) Lync has issues with loading external libraries which a specially crafted True Type font can take advantage of. This one is very similar to MS12-037 listed above but for Lync instead of IE.



MS Dynamics AX Enterprise Portal Elevation of Privilege


This one deals with the Microsoft ERP solution Dynamics AX - specifically the Enterprise Portal. Security researchers found an instance of XSS in a portion of the portal, which is made more serious by the fact that Internet Explorer 8 & 9 will let down their XSS countermeasures when interacting with this product. This happens due to the default settings for the "Intranet Zone", which disable a number of countermeasures in favor of compatibility. Dumb stupid Intranets.

The patch resolves this flaw in Dynamics by properly sanitizing user input, preventing XSS social engineering attacks via common vectors such as malicious email and websites.



Kernel-Mode Drivers allow Elevation Privilege

CVE2012-1864 CVE2012-1865 CVE2012-1866

This update covers five vulnerabilities covered by three CVE's all of which result in the possibility of an elevation of privilege if exploited by a locally logged in user. The problems are in how Windows kernel-mode drivers (specifically win32k.sys) validate input passed from user mode and handle TrueType font loading, and by introducing additional runtime validation to the thread creation mechanism. Microsoft hasn't seen any of these vulnerabilities being exploited in the wild, yet, but they expect to.



Windows Kernel Elevation Privilege

CVE2012-0217 CVE2012-1515

MS12-041 is a two-fer fixing two CVEs with just one update. In both cases the end result is an elevation of privilege, so any user who has local access to a system could run a specially crafted application and get System Administrator privileges, which basically mean they own the box and can do anything they want. The issues lie with the Windows User Mode Scheduler and in the way that Windows manages the BIOS ROM. The BIOS vulnerability only effects XP SP3 and Server 2003 SP2 while the Scheduler vulnerability only impacts x64 versions of Win7 and Sever 2008 R2 on Intel, so if you are running on 32-bit CPUs, you're safe from this one. Microsoft says that it hasn't seen either of these vulnerabilities being exploited in the wild, yet, but they do expect that exploit code will be written for them.

That's it for this month. Not to bad comparatively speaking. We will be back next month with another analysis.

Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

This is Part 8 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

The Invisible Battleground: Essentials of EASM

Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what...

Read More

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More