Microsoft patches IE, RDP flaws

Tackles certificate updates in the wake of Flame.

Microsoft has patched a nasty vulnerability in the Remote Desktop Protocol (RDP) and a string of vulnerabilities in Internet Explorer in its patch Tuesday updates for July.

Experts said the RDP hole was likely discovered while Redmond engineers were seeking an earlier, widely publisicised vulnerability in the protocol.

Microsoft marked two of the seven patches addressing 27 vulnerabilities as priorities for IT departments to deploy quickly. 

Among the high-priority fixes is MS12-037, which shores up a baker's dozen of security flaws affecting all supported versions of Internet Explorer.

Cumulative updates for the popular web browser are nearly always considered pressing because of the ease by which malware writers can use the defects to spread malware.

Users can be infected simply by viewing a malicious web page. In fact, one of the bugs being patched already is being exploited in the wild in limited attacks, said Wolfgang Kandek, CTO of vulnerability management firm Qualys.

"We consistently see browsers and their plug-ins as the primary attack vector for crimeware and advanced persistent threats," said Marcus Carey, senior researcher at Rapid7, which provides vulnerability management and penetration testing services.

Two of the 13 IE vulnerabilities were made public, including one that was disclosed by French security firm Vupen at the Pwn2Own hacker conference in Vancouver, British Columbia.

The other high-priority patch shipped on Tuesday is MS12-036, which corrects a privately reported bug in Windows' RDP.

It resembles the former wormable RDP vulnerability patched by Microsoft in March that enabled an uncredentialed attacker to access and install malicious code on a machine running RDP.

The incident turned into a bit of a public relations disaster for Microsoft after a proof-of-concept exploit turned up, leading to a Chinese firewall maker being booted from Microsoft's secret vulnerability sharing program.

No remote exploit ever was posted, only code to launch a denial-of-service attack, but the vulnerability patched in this update could "offer a more reliable attack vector for exploitation," Carey said, adding that many organisations, however, may be protected after disabling RDP in light of what happened in March.

"Today's RDP bug looks equally serious and was probably uncovered in the process of testing the previous RDP bug fixes," said Andrew Storms, who heads security operations at compliance and vulnerability management firm nCircle.

"Given the serious nature of the first RDP bug, it's not surprising that there was a lot of extra testing going on.

"And since today's patch release is conspicuously missing an acknowledgement for the bug finder, it seems safe to assume it was discovered by Microsoft staff."

The remainder of Tuesday's patches address issues considered of less significance, in Windows, Dynamics AX, .NET Framework and Lync.

Last week, Microsoft said it was planning to plug holes in Visual Basic in Office, but scrapped that patch for unknown reasons and added the fix for Lync, the company's unified communications solution.

In addition, Microsoft released a new automatic updater feature for untrusted certificates in Visa and Windows 7, in light of research that the skillfully built Flame espionage virus spread through illegitimately signed certificates.

"This new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted," Angela Gunn of Microsoft's Trustworthy Computing department wrote in a blog post.

"With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update."