SpiderLabs Blog

Microsoft Patch Tuesday, March 2012: Beware the RDP's of March

Written by | Mar 13, 2012 1:23:00 PM



In Back to the Future Part 2, the bad next-door neighbor kid gets hold of an almanac from the future when his future self takes the Delorean back in time and gives it to him. I don't know about you, but if I ever see a Delorean parked out front, I'm putting NVD on a stack of Zip Disks and heading back to meet my 2001 self.

MS12-020 would be somewhere near the top of the stack. It's this month's top-priority bulletin and involves unauthenticated Remote Code Execution on XP and newer systems running Remote Desktop Protocol (RDP). I'm not sure it would work in 2001 -- only the still-supported Windows XP SP3 is listed as vulnerable -- but it would be worth a shot. Then, of course, I would tell everyone about it really quickly via "net send" no doubt, after I turned their listeners on. It's just that important.

Otherwise, there are 4 Important updates and 1 Moderate, including another Remote Code Execution issue, some Privilege Escalation, and a Remote Denial-of-Service. Thanks to Space Rogue for helping out with this month's update.

MS12-020 / KB2671387

Vulnerabilities in Remote Desktop Could Allow Remote Code Execution

Critical

Remote Desktop Protocol Vulnerability, CVE-2012-0002

This first CVE is the one we primarily need to worry about here. Time travel jokes aside, it's scary to think this has been hanging around for very long, but it appears to affect RDP across both server and desktop operating systems, including XP and 2003. Those of you that rely solely on RDP for remote administration, without requiring VPN access, should patch immediately or find another way to handle remote access. If TCP port 3389 is exposed to the Internet, you should really do something about this, like, this afternoon, or at least before dinner. Because getting hacked is bad for digestion.

The only upside here is that there are no known exploits in the wild. This is being done via coordinated disclosure, thankfully, but no doubt there's some serious IDA Pro and Bindiff going on against that patch. Several Intrusion Detection System vendors, Trustwave included, are releasing detection logic to coincide with this release.

Terminal Server Denial of Service Vulnerability, CVE-2012-0152

Similarly, this vulnerability involves sending a sequence of specially crafted packets to the RDP service, but in this case the attacker simply takes down the service. This issue does not appear to take down the whole system, it just knocks the RDP service offline. Actually this one could be the same basic vulnerability as above, just without getting executable code onto the stack.

MS12-017 / KB2647170

Vulnerability in DNS Server Could Allow Denial of Service

Important

DNS Denial of Service Vulnerability, CVE-2012-0006

If you're running DNS on various flavors of Windows Server 2003 or 2008 you will want to apply this update. Without it an attacker can send you a specially crafted DNS query that could crash the DNS service and force it to restart. Repeating the attack could cause a DNS denial of service, which obviously wouldn't be good. Microsoft hasn't seen this in the wild yet at all but that's no reason to slack off and delay updating.

Note: You won't see this update in Microsoft's Auto Update Service unless the server actually has DNS enabled.

MS12-018 / KB2641653

Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

Important

PostMessage Function Vulnerability, CVE-2012-0157

Privilege escalation can always be nasty and it's the same here, any local authorized user could exploit this vulnerability to run arbitrary code in kernel mode. Of course once you have that capability you can do all sorts of nasty things including creating new accounts with full admin rights. This one affects just about everything from XP SP3 up to Server 2008 R2, even on Itanium. The vulnerability lives in the kernel mode driver win32k.sys, which does everything from managing keyboard input to controlling window displays.

While Microsoft has not seen this being actively exploited in the wild, the insider threat is often underestimated and this is a perfect example of the damage that a trusted employee could do.

MS12-019 / KB2665364

Vulnerability in DirectWrite Could Allow Denial of Service

Moderate

DirectWrite Application Denial of Service Vulnerability, CVE-2012-0156

This vulnerability is only listed as "moderate" but it's still pretty interesting. One of the DirectX APIs is DirectWrite, a rendering engine used to output high quality text, resolution-independent outline fonts, Unicode text, and other things. This vulnerability could allow an attacker to crash an application such as Windows Live Messenger or even Windows Internet Explorer 9 if the attacker can get the application to attempt to render a specially crafted sequence of Unicode characters. An attacker could do this with a standard phishing email containing a link to web page with the characters or by sending an Instant message with the characters. According to Microsoft this doesn't do anything except crash the application, and it hasn't been seen in the wild yet. But it may be only a hop, skip, and a jump before someone turns this into something more nefarious, so install the patch before they do.

MS12-021 / KB2651019

Vulnerability in Visual Studio Could Allow Elevation of Privilege

Important

CVE-2012-0008, Visual Studio Add-In Vulnerability

Similar to the Insecure Library Loading vulnerability below, but affecting Visual Studio 2008/2010, and without the pajamagrams. The issue is that a local user can sneak an "Add-In" into the path Visual Studio uses. When VS is run by a local admin, that code is also run automatically with admin privileges. To fix, the patch fixes some decision-making about where Add-Ins can be loaded.

The details on this one are a bit hazy because it's not being seen in the wild, but it's worth updating, especially on multi-user machines where Visual Studio is loaded.

MS12-022 / KB2651018

Vulnerability in Expression Design Could Allow Remote Code Execution

Important

CVE-2012-0016, Expression Design Insecure Library Loading Vulnerability

It's another DLL Injection scenario, we seem to be getting these regularly on Patch Tuesday. This one affects all versions (1-4) of Microsoft Expression Design, an illustration program. It's tough to decide whether to re-explain Insecure Library Loading each time, so when in doubt I usually write haiku:

Path to DLL

Not specific by default

CWD beckons

And for completeness, the above converted to Japanese, to Korean, and back:

The path of the DLL, by default, is not unique motioned for pajamagrams.

Yeah, that pretty much says it all.