Welcome to the first Patch Tuesday of Summer 2012! This week brings us 7 new security bulletins from Microsoft, addressing 26 unique flaws in various Microsoft products. The bulletins include a heavy concentration of vulnerabilities in Internet Explorer, a new critical RDP vulnerability, and a handful of others.
This month’s patches include the following:
- (MS12-036) Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)
- (MS12-037) Cumulative Security Update for Internet Explorer (2699988)
- (MS12-038) Vulnerability in .NET Framework Could Allow Remote Code Execution (2706726)
- (MS12-039) Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)
- (MS12-040) Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (2709100)
- (MS12-041) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)
- (MS12-042) Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)
Observant readers will immediately note that we have yet another patch for Remote Desktop Protocol (RDP), MS12-036. With this vuln, an attacker who is able to reach an RDP server can send an exploit that allows the perpetrator to execute code and deliver payload of their choice. The attack does not require authentication or any other special privileges. MS patched a similar RDP vulnerabilities in March 2012 (MS12-020), which caused a flurry of activity in many organizations, as security admins struggled to identify RDP servers that were exposed to the Internet, often in violation of good security policy. Exploits for MS12-020 surfaced in the wild shortly after publication, and we should expect no different with this one.
I’ve been asked by some about best practices for identifying rogue, Internet-facing RDP servers. Two tools I’ve seen used to good effect include vulnerability scanners (looking for any Internet facing systems listening on port 3389) as well as firewall logs/SIEM (monitoring network devices for successful inbound traffic on port 3389). Now is a great time to dust off your tools and run a quick report or two to ensure you’re not exposing services you don’t expect.
Also noteworthy, if only for pure volume, is MS12-037, which addresses 12 new vulnerabilities in all versions of Internet Explorer 6-9 (one of which was discovered by McAfee’s own Yichong Lin. Exploits for one of these vulns have been seen in the wild, as part of limited, targeted attacks. Expect more in the future. Thankfully, most organizations have become very good at testing and rolling out IE patches, since they’ve had so much practice over the years.
Finally, Microsoft has also implemented a new OS feature that allows them to more easily revoke trust from digital certificates that are often used to digitally sign Windows code. Over the last several week there has been a great deal of attention drawn to signed malicious code, mostly due to the Flame/Skywiper malware, which used signed code to spread the attack components. However, digitally signed malware is nothing new. McAfee Labs has cataloged more than 200,000 unique pieces of malware with valid digital signatures in the first quarter of 2012 alone. Having the ability to quickly remove trust from untrustworthy certificates is an important tool for fighting this class of malware, but is still a reactive technique. McAfee’s Deep Defender, an exciting of technology co-developed with our parent company Intel, also has an important, proactive role to play.
McAfee’s confirmed coverage for this month’s vulns is as follows:
- McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 10 out of 26 vulnerabilities this month.
- McAfee Host Intrusion Prevention is expected to provide protection against exploits of 10 out of 26 vulnerabilities this month.
- McAfee's Network Security Platform has new signatures confirmed to protect exploits of 14 out of 26 vulnerabilities this month.
- McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.
Additional research is being performed by McAfee Labs, and we expect coverage may improve as additional results roll in. As more details become available, you’ll find them on the McAfee Threat Center.