Patch Tuesday: Microsoft Updates IE, RDP, Certificate Tool

[err0r]

Microsoft released seven security bulletins addressing 26 unique vulnerabilities in Microsoft Windows, Internet Explorer, and other applications as part of June's Patch Tuesday release on June 12. The company separately announced changes to its automatic updater to block untrusted security certificates. Microsoft updated the updater tool after researchers at Kaspersky Lab uncovered how the Flame malware had gamed the process.

 

Of the three "critical" and four "important" bulletins, security experts agreed that administrators should prioritize the Internet Explorer and Remote Desktop Protocol updates. The Internet Explorer update (MS12-037) affects versions 6, 7, 8, and 9, and "as usual it's the one to patch first," said Andrew Storms, director of security operations at nCircle. Limited exploits for this IE bug have already been observed in the wild, according to Microsoft.

 

The flaw in Remote Desktop (MS12-036), while serious, is somewhat limited in scope, as RDP is not enabled by default on Windows systems. It is similar to the previous RDP vulnerability, which could be exploited without authentication and had been patched in March (MS12-020). While there were initial concerns about widespread attacks targeting RDP, that has not happened yet. Businesses who have turned on RDP to have remote access on systems need to act to patch the remote code execution vulnerability, which could be exploited if an attacker sends a sequence of specially crafted RDP packets.

 

"While any RDP vulnerability rated as “exploit code likely” by Microsoft should be taken very seriously, there is still more of a chance that the average IT environment will continue to be hit by drive-by client application style exploits," said Marc Maiffret, CTO at BeyondTrust.

 

It's worth noting that most businesses who didn't need RDP but had it enabled on their machines have most likely turned it off after the March scare, making the window of attack for this vulnerability even narrower, according to Marcus Carey, a security researcher at Rapid7.

 

Remaining Patches

The final critical bulletin closes a .NET Framework bug (MS12-038) that would allow an attacker to exploit a user's computer if that user viewed a specially crafted webpage. Two important bulletins (MS12-041, MS12-042) for Microsoft Windows closed escalation of privileges vulnerabilities.

 

Attack types like DLL preloading and elevation of privilege have become more common than remote code execution, noted Tyler Ranguly, technical manager of research and development at nCircle. "We see the remaining bulletins every month and, honestly, I'm getting tired of them," he said.

 

In the preview notification released last week, Microsoft originally planned to patch important vulnerabilities in Microsoft Office and Visual Basic this month. Instead, the company swapped out Office to fix a TrueType Font flaw in Microsoft Lync (MS12-039), an instant messaging platform for enterprises, which could result in remote code execution. Microsoft Dynamics AX 2012 (MS12-040) is another enterprise-focused application being updated this month.

 

Untrusted Certificates

Microsoft also announced a new automatic updater feature which would allow Windows to specifically flag certificates as untrustworthy. Systems with this feature would check Microsoft servers daily for updated information about certificates that have been revoked and update its local certificate store immediately, Trustworthy Computing's Angela Gunn wrote on the Microsoft Security Response blog.

 

This way, if an application using a revoked certificate tries to run on the Windows system, the operating system would be able to block it immediately. In the past, revoking certificates required a manual update.

 

Microsoft will also be releasing a change to how Windows manages certificates that have RSA keys of less than 1024 bits in length, Gunn said. More details are available on Microsoft's PKI blog.

 

Microsoft has been "super busy" in the last few weeks, according to Storms, who noted that the company worked on and delivered a "normal patch Tuesday," while releasing a series of emergency patches to address vulnerabilities exploited by the Flame malware.

 

Source: PCMag