Spring is springing, and brings with it March 2012 MS Patch Tuesday.  This week MS released 6 patches, addressing just 7 vulnerabilities.  While the overall volume and criticality of most of this month’s vulns is low, there is a doozy in there that deserves special attention.   This month’s MS patches include the following:


  • (MS12-017) Vulnerability in DNS Server Could Allow Denial of Service (2647170)
  • (MS12-018) Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)
  • (MS12-019) Vulnerability in DirectWrite Could Allow Denial of Service (2665364)
  • (MS12-020) Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
  • (MS12-021) Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019)
  • (MS12-022) Vulnerability in Expression Design Could Allow Remote Code Execution (2651018)


The big fish this month is MS12-020, which addresses a pair vulnerabilities in Microsoft’s Remote Desktop, including one that supports remote code execution.  This vulnerability has a number of properties that make it very concerning:


  • The RDP service, while off by default, is commonly enabled on servers, and occasionally desktops in many environments.  The attack surface in many enterprises for this is very high.
  • The vulnerability can be exploited over the network, and the protocol is often allowed through firewalls.
  • The vulnerability can be exploited without special authentication, in the default configuration.


This is pretty much the perfect storm for a vulnerability.  You can expect attackers to be targeting servers in DMZs with RDP enabled, to use as a jump-off point for additional internal attacks.  In addition, it could support a self-propagating worm, similar to the likes of Conficker in 2008/2009.  On top of this all, the vulnerability is in the Windows kernel itself, making it difficult to mitigate with host-based countermeasures. 


These kinds of vulns don’t come along very often, and deserve some extra-special attention.  Given the potential impact, you can expect that the bad guys will be laser focused on building exploits for this RDP vuln.  While we have not seen any exploits in the wild yet, it’s likely we’ll see some within the next 30 days.  For platforms that support RDP NLA (Network Level Authentication), MS has documented a simple mitigation that adds a requirement for authentication, which greatly reduces the likelihood of a successful attack.



The DNS vulnerability is also worth a mention (MS12-017).  With this vulnerability, an attacker could send a malicious packet to a MS DNS server, resulting in the DNS service stopping serving requests, or restarting.  For organizations who use Microsoft for their Internet-facing DNS, the impact of this would be high, effectively knocking related domains off the Internet.


McAfee’s coverage for this month’s vulns is as follows:


  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 1 out of 7 vulnerabilities this month. (MS12-022)
  • McAfee Application Control is expected to provide protection against exploits of 2 out of 7 vulnerabilities this month. (-021 and -022)
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 5 out of 7 vulnerabilities this month (-017, both -020 vulns, -021, and -022).
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.


Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat Center.



You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.



Happy patching!