Patch Tuesday: Microsoft Fixes Critical Bug in Remote Desktop Protocol
This month's update from Redmond includes six security advisories, but a pair of IE zero-day exploits demonstrated at last week's Pwn2Own hacking contest remain unpatched.
Microsoft's March "Patch Tuesday" update is taking a slightly different approach than in previous months. Released today, this month's Patch Tuesday update includes six security advisories -- and for the most critical flaws, Microsoft is providing both a patch and a 'Fix It' update.
The critical flaws are addressed in the MS12-020 bulletin, detailing vulnerabilities in Remote Desktop Protocol (RDP). The flaws could have potentially enabled an attacker to execute arbitrary remote code.
"The patch actually fixes the problem, and the Fix It implements the workaround," Wolfgang Kandek, CTO of security firm Qualys, told InternetNews.com.
Kandek explained that the Fix It update enables Network Layer Authentication (NLA) protocol, which mitigates the risk that the MS12-020 bulletin warns about. The Fix It also does not require a system reboot, which is required by the full patch.
"The Fix It does not cure the root cause," Amol Sarwate, Director of Vulnerability Labs at Qualys, told InternetNews.com. "It does enough to make sure that attackers can not trigger the vulnerable condition."
Microsoft does not normally release both a Fix It update as well as a full patch at the same time. Typically, Fix It updates have been released as a quick workaround to protect users until a full patch is made available.
"In this case, Microsoft wants users to use NLA," Kandek said. "Microsoft is trying to steer people to review their policies around remote desktop and some users might still have a legacy setting, that is only really necessary if they use older versions that don't support NLA."
Sarwate noted that by releasing the Fix It update as well as the full patch, Microsoft is giving users the chance to mitigate the immediate risk, without the need to immediately do a full reboot.
In addition to the critical RDP flaw advisory, there are four advisories in the March Patch Tuesday update for issues rated as "Important" by Microsoft. At the top of the list is MS12-017, which is a DNS Denial of Service issue.
"This is a resource exhaustion issue so it's not one packet or one request by which an attacker could cause a Denial of Service," Sarwate said. "Someone would have to attack you for one or two hours to exhaust all the memory and then your DNS server could go down."
The other fixes in Microsoft's Patch Tuesday update for the month of March include a fix for privelige escalation flaws in Windows Kernel-Mode drivers and Visual Studio. There is also a fix for a Denial of Service flaw in DirectWrite text layout rendering engine.
Lastly, there is an important fix for a remote code execution flaw in Microsoft Expression Design which enables web designers to leverage vector graphics in web applications.
"This vulnerability can be exploited by an attacker crafting malicious file formats for an unsuspecting victim to open," Marcus Carey, security researcher at Rapid7 said. "Due to Adobe's dominance in the graphics and web design space, I don't believe this will affect the average organization."
There are at least two zero-day flaws affecting Microsoft software that are not being patched in the March Patch Tuesday update. Last week at the Pwn2Own 2012 event, security firm VUPEN found a pair of flaws in Microsoft's Internet Explorer browser. Though those flaws have not yet been patched by Microsoft, Qulays' Kandek doesn't anticipate much risk to regular users because the exact nature of the exploits remain secret.
"What the public knows is that there are some zero days," Kandek said. "They are contained in a relationship that has existed for years between ZDI (the Pwn2Own organizers) and Microsoft, and it will be interesting to see if they will fix these issues within the next Patch Tuesday or not."
February 14, 2012
February Patch Tuesday delivers nine security bulletins fixing at least 21 security vulnerabilities, four rated as critical.