Tag Archives: RDP

Windows Updates Fix GDI+, RDP, and TCP Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like XML Core Services)
  • How an attacker exploits them: Multiple vectors of attack, including enticing you to malicious web sites, or into interacting with malicious documents or images.
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as XML Core Services. An attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-036: Two GDI+ Code Execution Vulnerabilities

The Graphics Device Interface (GDI+) is one of the Windows components that helps applications output graphics, to your display or printer. GDI+ suffers from two security flaws. Though they differ technically, the flaws share the same scope and impact, and have to do with how GDI+ handles specially crafted documents or images. If an attack can entice one of your users into viewing a malicious image or document, perhaps embedded in an email or web site, he can exploit either flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer.

Microsoft rating: Critical

  • MS14-033:  MSXML Information Disclosure Vulnerability

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It often ships with various versions of Windows, and other Microsoft products like Office, SharePoint Server, Groove Server, and Expressions. If you have a Windows computer, you very likely have MSXML.

According to today’s bulletin, MSXML suffers from an information disclosure vulnerability. If an attacker can entice one of your users to a specially crafted web site, or into opening a malicious document, she could invoke MSXML and leverage this flaw to obtain sensitive information from your user’s system. Specifically, the attacker can gain access to some local path information, and your user’s username.

Microsoft rating: Important

  • MS14-031:  TCP Protocol Denial of Service Flaw

As you would expect, the Windows TCP/IP stack is a set of networking protocols that allows your computer to get on the Internet and participate in modern networking. Unfortunately, the Windows TCP/IP stack suffers from an unspecified Denial of Server (DoS) vulnerability involving its inability to properly parse a specially crafted sequence of TCP packets. By sending a sequence of packets, an attacker could leverage this flaw to cause you computer to stop responding, causing a DoS situation. However, the attacker would have to initiate a large number of connections, and have control over the TCP options field of each packet.

Microsoft rating: Important

  • MS14-030:  RDP traffic tampering vulnerability

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network to directly control your desktop. Unfortunately, the RDP component that ships with Windows doesn’t use very robust encryption by default. If an attacker can intercept your RDP traffic in a Man-in-the-Middle (MitM) attack, he could tamper with the RDP session in a way that allowed him to read session information or modify the RDP session. You can enable Network Level Authentication (NLA) to mitigate the risk of this flaw

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as blocking TCP traffic), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Seven Security Bulletins Include a Huge IE Update

If there is one day of the month you should really focus on software patching, this is the day. The second Tuesday of the month is both Microsoft and Adobe patch day. If you run a Windows shop, or you use Adobe products on any platform, it’s time for you to get patching!

As they promised, Microsoft released seven bulletins today to fix a wide range of security vulnerabilities in a number of their products, including:

  • Windows and its components,
  • Office (Word),
  • Internet Explorer (IE),
  • and Lync Server.

Microsoft rates two of the bulletins as Critical.

The big news here is the major Internet Explorer (IE) update. Not only does it fix a zero day vulnerability I discussed a few weeks ago, but it corrects a whooping total of 59 security flaws in the popular web browser. If you have Windows computers in your network, you need to patch IE immediately. The second Critical update fixes a Windows graphics component (GDI+) flaw, which attackers can leverage simply by tricking your users into viewing maliciously crafted images.

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can or you can also let Windows’ Automatic Update do it for you. You can find more information about these bulletins and updates in Microsoft’s June Summary advisory.

Adobe’s Patch Day, on the other hand, seems a bit lighter than Microsoft’s. They only released one security update fixing six security flaws in Flash Player. That said, the update fixes some pretty serious vulnerabilities that attackers could exploit just by enticing you to the wrong web site. Be sure to update Flash as well.

I’ll share more details about today’s patches on the blog throughout the day, so stay tuned.  — Corey Nachreiner, CISSP (@SecAdept).

Windows Updates Fix Critical RDC Flaw, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and some of the components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including luring users to web sites with malicious code or sending specially crafted network packets
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Update do it for you.

Exposure:

Today, Microsoft released six security bulletins that describe around ten vulnerabilities affecting Windows or components related to it, such as Remote Desktop Client, Active Directory, and the Antimalware client (part of Windows Defender in Windows 8). Each of these vulnerabilities affect different versions of Windows to varying degrees. A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-029: Remote Desktop Client Code Execution Vulnerability

Remote Desktop Protocol (RDP) is a Microsoft networking protocol that allows you to view and control the desktop of one Windows computer from another networked computer. Windows ships with the Remote Desktop Client to support this functionality. According to Microsoft, an ActiveX control the Remote Desktop Client uses suffers from a “use after free” vulnerability, which remote attackers can exploit to execute arbitrary code on your system. The attacker would simply have to entice you to a web site containing malicious code to trigger the flaw. As is typical with Windows vulnerabilities, the attacker would gain your privileges, and if you’re a local administrator that means full control of your system.

Microsoft rating: Critical

  • MS13-031: Two Kernel Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. The Windows kernel suffers from two race condition vulnerabilities, which attackers can leverage to  elevate their privilege. Though the flaws differ technically, the share the same scope and impact. By running a specially crafted program, a local attacker could exploit this flaw to gain complete control of your PC. However, the attacker would first need to gain local access to your Windows computer using valid credentials. This factor significantly reduces the severity of the issue

Microsoft rating: Important

  • MS13-032: Active Directory Memory Consumption Flaw

Active Directory (AD) provides central authentication and authorization services for Windows computers and ships with server versions of Windows. AD suffers from a memory consumption vulnerability having to do with it’s inability to properly handle specially crafted LDAP queries. By sending a malicious LDAP query to an AD server, an attacker can exploit this flaw to force the server’s LDAP service to stop responding, putting it into a Denial of Service (DoS) state. However, administrators typically limit LDAP access to their local network, so this vulnerability primarily poses an internal threat.

Microsoft rating: Important

  • MS13-033CSRSS Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from a local privilege elevation issue. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

  • MS13-034: Antimalware Client Elevation of Privilege Vulnerability

The Antimalware Client is a free host-based security program that does just what you’d expect; protects Windows systems from malicious software (viruses, worms, trojans, etc.) loosely known as malware. It ships with Windows Defender, which comes with Windows 8. It also suffers from a local privilege elevation issue having to do with its inability to handle improper pathnames. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials, which significantly reduces the risk of this flaw. This issue primarily affects Windows 8 computers.

Microsoft rating: Important

  • MS13-036Multiple Kernel-Mode Driver Vulnerabilities

As mentioned above, the kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers five different privilege elevation vulnerabilities. The vulnerabilities differ technically  but share the same scope and impact. By running a specially crafted program, a local attacker can leverage any of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of these issues.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed a new signature that can detect and block the Remote Desktop Client vulnerability described above:

  • WEB-ACTIVEX Microsoft RDC ActiveX Control Remote Code Execution Vulnerability (CVE-2013-1296)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Remote Desktop and IE Updates Top April’s Patch Day List

Unless you’re new to IT, you’re probably aware that todaythe second Tuesday of the monthis Microsoft Patch Day.

As expected, Microsoft released nine security bulletins today, fixing 13 vulnerabilities across products like Internet Explorer (IE), Windows and its components, Sharepoint Server, and a few other Office server products. The worst two, Critical-rated updates fix security problems in IE and the Remote Desktop Client (RDC) that ships with Windows (specifically, its ActiveX control). The vulnerabilities in both these products could help remote attackers launch drive-by download attacks. If an attacker can get your IE or RDC users to visit a specially crafted web site (or a legitimate, hijacked web site), they could leverage these flaws to execute arbitrary code with those users’ privileges. You should download, test, and apply these Critical updates as soon as you can, or let Windows’ automatic updater do it for you.

As an aside, some experts had expected today’s IE update to fix some publicly disclosed vulnerabilities from the recent Pwn2Own contest at a Canadian security conference. In their IE alert, Microsoft credits two Google security researchers for discovering the flaws they fixed today. However, the Pwn2Own IE 10 flaws were disclosed by different researchers from VUPEN. So it appears the Pwn2Own IE flaws are still open issues.

Microsoft also released seven other updates, which they rate as Important. While not as serious as the ones mentioned above, they all fix some relatively risky issues too. In general, I recommend you always install all of Microsoft’s monthly patches as quickly as you can. That said, be sure to at least try and test the server updates before deploying them to your production network.

I’ll post more detailed alerts about these security bulletins as the day progresses. Stay tuned. — Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 39 – RDP Hostages

Hostage RDP Servers, Pin Pad Hacks, and PS3 Key Leak

Are you ready for some Friday water-cooler security gossip? Did you hear about a bunch RDP servers at Fortune 500 companies getting hacked? How about the story about Dutch law enforcement legally hijacking suspect computers? If not, you’ve come to the right place. I cover those stories and more in today’s WatchGuard Security Week in Review video.

This week’s video comes to you from the road. During the week, I attended Gartner’s Symposium ITxpo, where Gartner analysts covered the trends driving IT innovation. The four main topics included the Cloud, Mobile, Social, and Big Data; many of which match our security predictions themes from this year. In any case, today’s episode is slightly abbreviated due to my travels.

If you are interested in this week’s big RDP hack, a Barnes and Noble pin pad breach, and even a “pwned” gaming console, check out the video below. You can also find links to all the stories I cover in the Reference section of this post.

Thanks for watching, and have a great weekend.

(Episode Runtime: 7:50)

Direct YouTube Link: http://www.youtube.com/watch?v=DTLlJVhDbIg

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

August Windows Bulletins Fix RDP, JScript, and Kernel-Mode Drivers Flaws

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and the components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic, enticing users to visit malicious web content, or running malicious applications
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing seven vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-053: RDP Code Execution Vulnerability in XP

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network to directly control your desktop.

Unfortunately, the RDP component that ships with Windows XP suffers from a serious security vulnerability having to do with how it handles specially crafted sequences of packets (similar to a flaw described in March). By sending such a packet sequence to a computer running the RDP service, an attacker could exploit this flaw to gain complete control of that computer.

The good news is RDP isn’t enabled by default on Windows systems, and this flaw only affects Windows XP. You’re only vulnerable to this flaw if you specifically enabled RDP on XP systems. However, keep in mind that XP’s Remote Assistance and Remote Web Workplace features also expose RDP.

Microsoft rating: Critical

  • MS12-054: Multiple Windows Network Component Vulnerabilities

Windows ships with various networking components, including the Print Spooler service to help manage print jobs and the Remote Administration Protocol (RAP) used for printer and file share maintenance.

According to this bulletin, these two network components suffer from four vulnerabilities. Three of the vulnerabilities have to do with how these network components handle specially crafted network requests. To summarize, by sending specially crafted RAP requests or print spooler responses, a remote attacker can leverage three of these flaws to execute code your Windows computers with full SYSTEM-level privileges.

RAP and Print Spooler communications tend to use SMB, which travels over TCP port 445, or via NetBIOS (udp/tcp 137, 138, 139). By default, most firewalls block external access to these ports, which mitigates the risk of this sort of attack from the Internet. Nonetheless, this update fixes very serious flaws, which malware could leverage to help itself spread within your network. We recommend you apply the updates as quickly as possible.

Microsoft rating: Critical

  • MS12-055 :  Kernel-Mode Driver Elevation of Privilege Flaw

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from a new local elevation of privilege flaw having to do with how it improperly handles objects in memory. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your Windows computer or trick you into running it yourself, which significantly lessens the severity of this vulnerability

Microsoft rating: Important

  • MS12-056 :  JavaScript Integer Overflow Vulnerability

VBScript and JScript are both scripting languages created by Microsoft, which ship with Windows. JScript suffers from an integer overflow vulnerability having to do with how it handles maliciously crafted JavaScript. By enticing you to a specially crafted web page, or into opening any content that can leverage JavaScript, an attacker can leverage this flaw to execute code on your computer with your privileges. If you have admin rights, then it’s game over for your PC.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run executable files locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, our XTM security appliances can mitigate the risk of many of these flaws. By default, we block many of the network ports (SMB and NetBIOS) required for external attackers to exploit these flaws. Furthermore, our XTM appliance’s security services, including Gateway Antivirus (GAV) and Intrusion Prevention Service, can often protect you from these vulnerabilities, or the malware they try to deliver.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Radio Free Security: June 2012 Episode

Dissecting Flame: A Nation-State Cyber Espionage Threat

If you’ve subscribed to our RSS or iTunes feed, you may have noticed June’s episode of Radio Free Security went up a few days ago. I didn’t want to post about it earlier, due to the upcoming U.S. Fourth of July holiday. However, now that you’ve had your fill of fireworks, go check out this month’s informational and educational episode.

For those new to our blog, Radio Free Security (RFS) is a monthly audio podcast dedicated to spreading knowledge about network and information security, and to keeping busy IT administrators apprised of the latest security threats they face online.

June’s episode includes:

  • The Security Spotlight [4:00 – 57:30] – Dissecting Flame: A Nation-State Cyber Espionage Threat. Late last month, researchers discovered a new advanced threat called Flame, which had infected hundreds of Middle Eastern organizations for years. In this month’s spotlight segment,  Ben and I discuss this interesting new malware sample. What does it do, how does it spread, and how can you protect yourself from this type of advanced attack? They also discuss the evidence suggesting that Flame is a government sponsered cyber attack, and what that means for the future of network and information security.
  • Security Story of the Month (SSotM) [58:22 – 1:33:23] – Want to learn about the security highlights from June? Join Christian, Chris, and I in a round-table discussion where we chat about the Linkedin breach, Apple’s new security stance, and intellectual property swiping malware. Which of these big June stories rises to the top? For the answer to that, and a dose of the latest security news, listen to this month’s SSotM segment.

You can always find the latest episode of Radio Free Security at:

Or just listen to June’s episode using the player below [runtime: 1:37:05].

— Corey Nachreiner, CISSP (@SecAdept)

Four Windows Bulletins Fix RDP, .NET Framework, and Kernel Flaws

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and its optional .NET Framework component.
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets or enticing your users to web sites with malicious content
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing nine vulnerabilities affecting Windows and components that ship with it, including its optional .NET Framework component. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates -especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-036RDP Remote Code Execution Vulnerability

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network to directly control your desktop. Windows Terminal Servers also use the RDP protocol to allow many remote users to share one machine.

Unfortunately, the RDP component that ships with all versions of Windows suffers from a serious security vulnerability having to do with how  it handles specially crafted sequences of packets (similar to a flaw described in March). By sending a sequence of such packets to a computer running the RDP service, an attacker could exploit this flaw to gain complete control of that computer.

Luckily, the RDP service is not enabled by default on Windows systems. You are only vulnerable to this issue if you have specifically enabled RDP connections. That said, many companies manage Windows Terminal Servers, which do enable RDP services. Windows’ Remote Assistance and Remote Web Workplace features also expose RDP. If you manage such any workstations of servers using RDP, we highly recommend you apply the RDP patch immediately.

Microsoft rating: Critical

  • MS12-038: .NET Framework Remote Code Execution Vulnerability

The .NET Framework is a software framework used by developers to create new Windows and web applications. The .NET Framework component suffers from a code execution flaw, which has to do with how it handles specially crafted XAML Browser Applications (XBAP). If an attacker can entice a user who’s installed the .NET Framework to a web site containing malicious XBAP, she can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As always, if your users have local administrator privileges, attackers can leverage this flaw to gain full control of their computers. This flaw may also affect custom .NET Framework-based programs, which you might develop and run in-house.

Microsoft rating: Critical

  • MS12-041 and MS12-042 : Kernel & Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level.

Microsoft released two bulletins today, describing seven local elevation of privilege flaws that affect either the kernel or the kernel-mode driver component. Though these seven flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage any of these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computer using valid credentials – even if only with “Guest” user access. The requirement for local access significantly lessens the severity of these flaws.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run executable files locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, WatchGuard’s firewalls and XTM security appliances can mitigate the risk of many of these flaws. For instance, our appliances mitigate the risk of the Windows RDP vulnerability by blocking external access to the RDP ports (TCP port 3389 and 4125). As long as you haven’t specifically allowed RDP, our default setting will prevent Internet-based attackers from exploiting the RDP vulnerability described above.

Furthermore, our XTM appliance’s security services, including Gateway Antivirus (GAV) and Intrusion Prevention Service, can also help protect you. For instance, our GAV service will block much of the malware attackers try do deliver when exploiting these sorts of software vulnerabilities.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Another Critical RDP Update

If you manage or run Microsoft products, it’s time to patch; especially if you use Remote Desktop and expose it outside your network.

Microsoft has posted their June security bulletin summary, which describes seven security bulletins fixing 27 vulnerabilities in many of their products, including:

  • Windows
  • Internet Explorer (IE)
  •  .NET Framework
  • Microsoft Lync (and Communicator 2007)
  • Microsoft Dynamics AX Enterprise Portal

They rate three of these bulletins as Critical, which typically means remote attackers can exploit them to gain control of affected computers.

The Remote Desktop Protocol (RDP) bulletin and Internet Explorer cumulative patch seem the most concerning to me. RDP is a very popular service, which some users and administrators enable externally. Today’s RDP update fixes a serious vulnerability that remote attackers could leverage to gain full control of your RDP servers. It’s similar in scope to another serious RDP flaw Microsoft fixed in March. If you manage RDP-enabled machines, I’d apply this update quickly.

The IE patch fixes 13 security flaws in the popular web browser. Many of the vulnerabilities allow for code execution, meaning attackers could exploit them to launch drive-by download attacks. Since almost all Microsoft users run IE, and attackers have increasingly leveraged web attacks to spread malware, I’d consider this the most important update, and apply it first. You can apply the other updates in the order suggested by Microsoft’s summary post.

I’ll share more details about these issues, and how to fix them, in consolidated LiveSecurity alerts I’ll post here shortly. Since I suspect only a few administrators use Lync and the Dynamic AX Enterprise Portal, I probably will only describe those updates in a short blog post, later. — Corey Nachreiner, CISSP (@SecAdept)

Radio Free Security: May 2012 Episode

Getting Started with Application Control

If you follow our RSS or iTunes feed, you probably noticed we posted the May episode of Radio Free Security.

For those new to our blog, Radio Free Security (RFS) is a monthly audio podcast dedicated to spreading knowledge about network and information security, and to keeping busy IT administrators apprised of the latest security threats they face online.

May’s episode includes:

  • The Security Spotlight [4:00 – 30:30] – Getting started with Application Control. Many network and security vendors talk about Application Control, but few businesses have actually started using it yet. Perhaps they don’t know it exists, or what is does, or how to deploy it. That’s why Peter and I discuss Application Control in this month’s episode of Radio Free Security. What is it? How might you use it? Will it help protect your network? And, what’s the easiest, most pain-free way to deploy it? Learn all this and more during a brisk interview with one of WatchGuards most experienced sales engineers.
  • Security Story of the Month [31:00 – 56:08] – Did you miss the big security news from this month? If so our podcast will catch you up. Richard, Chris, and I discuss upcoming cyber legislation, paid security patches, and Android drive-by downloads. I even squeeze in one surprise story from the end of the month, which will have resounding implications on cyber espionage. Which security story should most concern you? Find out during this monthly roundtable discussion.

You can always find the latest episode of Radio Free Security at:

Or just listen to April’s episode using the player below [runtime: 1:00:00].

— Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: