Four Windows Updates Plug Seven Security Holes

Bulletins Affect RDP, DNS Server, Kernel-Mode Drivers, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it (One flaw also affects Small Business Server 2003)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets to vulnerable computers
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing seven vulnerabilities affecting Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-020: RDP Remote Code Execution and DoS Vulnerabilities

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network, and to directly control their desktops. Windows Terminal Servers also use the RDP protocol to allow many remote users to share one machine.

Unfortunately, the RDP component that ships with all versions of Windows suffers from two vulnerabilities. The worst is a serious remote code execution flaw, having to do with how the RDP component processes specially crafted sequences of packets. By sending a sequence of such packets to a computer running the RDP service, an attacker could exploit this flaw to gain complete control of that computer. The RDP component also suffers from a less severe Denial of Service (DoS) flaw, which attackers could leverage to cause the RDP service to stop responding to new connections.

This RDP remote code execution flaw is a severe vulnerability. However, the RDP service is not enabled by default on Windows systems. You are only vulnerable to this issue if you have specifically enabled RDP connections. That said, many companies manage Windows Terminal Servers, which do have RDP services enabled. If you manage such servers, we highly recommend you apply the RDP updates immediately.

UPDATE: Microsoft’s Small Business Server  (SBS) 2003 has a feature called Remote Web Workplace, which is also vulnerable to these RDP issues.

Microsoft rating: Critical

The Server versions of Windows ships with a DNS Server to allow administrators to offer Domain Name System services on their networks. This DNS Server suffers from a DoS vulnerability having to do with how it handles objects in memory when looking up DNS resource records. By sending your Windows DNS Server a specially crafted DNS request, an attacker could exploit this flaw to cause the DNS server to stop responding and reboot.

In general, people often consider DoS flaws less severe than, say, code execution flaws. However, if an attacker takes out your DNS server, he can essentially knock your network offline, as your users will not be able to browse the Internet using human-readable addresses. Though Microsoft only rates this bulletin as Important, we believe it fixes a fairly serious flaw for DNS administrators.

Microsoft rating: Important

  • MS12-018: Kernel-Mode Driver Code Execution Vulnerability

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers a serious code execution flaw, stemming from its lack of input validation when handling inputs passed via a particular Windows function (specifically PostMessage). By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

  • MS12-019: DirectWrite DoS Vulnerability

DirectWrite is a Windows API, which developers can leverage to help their applications handle text in the Windows GUI. It suffers from a minor DoS vulnerability, caused by a flaw in the way it handles a specially crafted sequence Unicode characters. If an attacker can entice your users to view specially crafted Unicode content via an application that leverages the DirectWrite API, he could leverage this flaw to crash that application. Some applications that leverage DirectWrite include Internet Explorer and Windows Instant Messenger. Unlike the DNS Server DoS vulnerability described above, this flaw is not that severe. Attackers can only exploit it to crash one client application on a user’s machine. The user could then easily restart the application and avoid the content that crashed it.

Microsoft rating: Moderate.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below should take you directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links for the various updates:

For All WatchGuard Users:

Attackers can leverage these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. However, our appliances cannot protect you from local attacks. You should install Microsoft’s updates to completely protect yourself from these flaws.

That said, our appliances can mitigate the risk of the Windows RDP vulnerabilities. By default, WatchGuard’s XTM and Firebox appliances block external RDP access (Typically, TCP port 3389; SBS 2003 uses TCP port 4125). As long as you haven’t specifically allowed RDP, our default setting will prevent Internet-based attackers from exploiting these RDP flaws against your servers.

Furthermore, if you must allow external access to your Terminal Servers, you can also leverage WatchGuard’s Authentication feature to limit RDP access to users you trust. For more information on WatchGuard’s Authentication features, refer to this help page.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

9 Responses to “Four Windows Updates Plug Seven Security Holes”

  1. Per the security bulletin on the RDP flaw, SBS 2003 users who have opened port 4125 for Remote Web Workplace are also at risk.

    • Corey Nachreiner Reply March 13, 2012 at 3:28 pm

      David,

      Great catch! I missed that small note in the MS bulletin, and didn’t think of it myself. I will go ahead and update the web version of this alert now.

Trackbacks/Pingbacks

  1. Four Windows Updates Plug Seven Security Holes | Mark A. Ashford Consulting Inc. - March 13, 2012

    […] at Manage Subscriptions. > > Trouble clicking? Copy and paste this URL into your browser: > http://watchguardsecuritycenter.com/2012/03/13/four-windows-updates-plug-seven-security-holes/ > Thanks for flying with WordPress.com > > Share this:ShareFacebookStumbleUponReddit This entry […]

  2. Microsoft Visual and Expression Studio; Patch ‘Em If You Have ‘Em | WatchGuard Security Center - March 15, 2012

    […] Microsoft Patch Day and their more severe Windows bulletins. If you haven’t jumped on those Windows updates yet, I recommend you do so — especially the RDP one. However, Microsoft also released two […]

  3. Microsoft Visual and Expression Studio; Patch ‘Em If You Have ‘Em | microreksa - March 15, 2012

    […] Microsoft Patch Day and their more severe Windows bulletins. If you haven’t jumped on those Windows updates yet, I recommend you do so — especially the RDP one. However, Microsoft also released two […]

  4. WatchGuard Security Week in Review: Episode 9 | WatchGuard Security Center - March 16, 2012

    […] Windows updates – WatchGuard Security Center […]

  5. Microsoft Black Tuesday: Another Critical RDP Update | WatchGuard Security Center - June 12, 2012

    […] attackers could leverage to gain full control of your RDP servers. It’s similar in scope to another serious RDP flaw Microsoft fixed in March. If you manage RDP-enabled machines, I’d apply this update […]

  6. Four Windows Bulletins Fix RDP, .NET Framework, and Kernel Flaws | WatchGuard Security Center - June 12, 2012

    […] having to do with how  it handles specially crafted sequences of packets (similar to a flaw described in March). By sending a sequence of such packets to a computer running the RDP service, an attacker could […]

  7. August Windows Bulletins Fix RDP, JScript, and Kernel-Mode Drivers Flaws | WatchGuard Security Center - August 14, 2012

    […] having to do with how it handles specially crafted sequences of packets (similar to a flaw described in March). By sending such a packet sequence to a computer running the RDP service, an attacker could […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: