Hi all,

 

This week brings us the latest Microsoft Patch Tuesday.  Microsoft has released 6 patches, addressing 11 new vulnerabilities.  Four of this month’s patches are listed by MS as Critical, with the remaining two listed as Important.  Adobe has also released a patch to Acrobat and Reader to address 4 previously undisclosed issues.

 

Before discussing this month’s new vulnerabilities, it’s worth a quick revisit to a critical vulnerability from last month.  MS12-020 addressed a critical vulnerability in Microsoft Remote Desktop, which has all the right characteristics needed for a self-propogating worm.  The SANS Internet Story Center went so far as to raise their Infocon level to “Yellow”, for the first time since 2010, as a direct result of the potential risk associated with this vulnerability.  While we have not yet seen widespread attacks or malware in the wild, a few preliminary proof-of-concept exploits have surfaced, including a module for the popular Metasploit penetration testing framework.  RDP merits additional attention over the coming weeks, while we wait for the shoe to drop. 

 

Out of curiosity, I took a look at my own small lab network, and what I saw was eye opening.  Below is a chart from my Nitro SIEM, showing a pretty dramatic spike in inbound RDP events over the last 2 weeks.  Note that there was almost NONE prior. 

 

1204_distribution.gif

 

Most of these are blocked firewall connections, with a smattering of other things:

 

1204_summary.gif

 

While this isn’t cause for panic, it could indicate a potential surge on the horizon.  Customers are advised to:

 

  • use network-based access controls to block RDP access where it’s not needed,
  • use network IPS to watch for emerging threats and block them proactively, and of course…
  • deploy the patch!

 

As for this month’s vulnerabilities, MS has released the following:

 

  • (MS12-023) Cumulative Security Update for Internet Explorer (2675157)
  • (MS12-024) Vulnerability in Windows Could Allow Remote Code Execution (2653956)
  • (MS12-025) Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2671605)
  • (MS11-026) Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure (2663860)
  • (MS12-027) Vulnerability in MSCOMCTL.OCX Could Allow Remote Code Execution (2664258)
  • (MS12-028) Vulnerability in Microsoft Office Could Allow for Remote Code Execution (2639185)

 

They are mostly unremarkable, but not unimportant.  Microsoft highlights MS12-027, which has seen a handful of targeted exploits by attackers, leveraging this vulnerability in Windows Common Controls.  No public exploit code has surfaced yet.  Also worth mentioning: MS12-023 addresses 5 new vulnerabilities in IE, and MS indicates that exploits for these are likely in the future.  On top of these, Adobe has released and update to Acrobat and Reader, patching 4 vulnerabilities which could be exploited via a malicious PDF.

 

McAfee’s confirmed coverage for this month’s vulns MS and Adobe vulns is as follows:

 

  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 6 out of 15 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 8 out of 15 vulnerabilities this month.
  • McAfee Application Control is expected to provide protection against exploits of 6 out of 15 vulnerabilities this month.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 9 out of 15 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat Center.

 

 

You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast.

 

Happy patching!

 

Scott