Microsoft patches IE, RDP flaws

Powered by SC Magazine
 

Tackles certificate updates in the wake of Flame.

Microsoft has patched a nasty vulnerability in the Remote Desktop Protocol (RDP) and a string of vulnerabilities in Internet Explorer in its patch Tuesday updates for July.

Experts said the RDP hole was likely discovered while Redmond engineers were seeking an earlier, widely publisicised vulnerability in the protocol.

Microsoft marked two of the seven patches addressing 27 vulnerabilities as priorities for IT departments to deploy quickly. 

Among the high-priority fixes is MS12-037, which shores up a baker's dozen of security flaws affecting all supported versions of Internet Explorer.

Cumulative updates for the popular web browser are nearly always considered pressing because of the ease by which malware writers can use the defects to spread malware.

Users can be infected simply by viewing a malicious web page. In fact, one of the bugs being patched already is being exploited in the wild in limited attacks, said Wolfgang Kandek, CTO of vulnerability management firm Qualys.

"We consistently see browsers and their plug-ins as the primary attack vector for crimeware and advanced persistent threats," said Marcus Carey, senior researcher at Rapid7, which provides vulnerability management and penetration testing services.

Two of the 13 IE vulnerabilities were made public, including one that was disclosed by French security firm Vupen at the Pwn2Own hacker conference in Vancouver, British Columbia.

The other high-priority patch shipped on Tuesday is MS12-036, which corrects a privately reported bug in Windows' RDP.

It resembles the former wormable RDP vulnerability patched by Microsoft in March that enabled an uncredentialed attacker to access and install malicious code on a machine running RDP.

The incident turned into a bit of a public relations disaster for Microsoft after a proof-of-concept exploit turned up, leading to a Chinese firewall maker being booted from Microsoft's secret vulnerability sharing program.

No remote exploit ever was posted, only code to launch a denial-of-service attack, but the vulnerability patched in this update could "offer a more reliable attack vector for exploitation," Carey said, adding that many organisations, however, may be protected after disabling RDP in light of what happened in March.

"Today's RDP bug looks equally serious and was probably uncovered in the process of testing the previous RDP bug fixes," said Andrew Storms, who heads security operations at compliance and vulnerability management firm nCircle.

"Given the serious nature of the first RDP bug, it's not surprising that there was a lot of extra testing going on.

"And since today's patch release is conspicuously missing an acknowledgement for the bug finder, it seems safe to assume it was discovered by Microsoft staff."

The remainder of Tuesday's patches address issues considered of less significance, in Windows, Dynamics AX, .NET Framework and Lync.

Last week, Microsoft said it was planning to plug holes in Visual Basic in Office, but scrapped that patch for unknown reasons and added the fix for Lync, the company's unified communications solution.

In addition, Microsoft released a new automatic updater feature for untrusted certificates in Visa and Windows 7, in light of research that the skillfully built Flame espionage virus spread through illegitimately signed certificates.

"This new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted," Angela Gunn of Microsoft's Trustworthy Computing department wrote in a blog post.

"With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update."

Copyright © SC Magazine, US edition


Microsoft patches IE, RDP flaws
 
 
 
Top Stories
Business-focused Windows 10 brings back the Start menu
Microsoft skips 9 for the "greatest enterprise platform ever".
 
Feeling Shellshocked?
Stay up to date with patching for the Bash bug.
 
Amazon forced to reboot EC2 to patch Xen bug
Rolling restarts over next week.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Constantly rushing to the printer to stop other people seeing your printouts?
Sep 24, 2014
Lexmark's latest family of small-business printers include a feature that lets you stop anyone ...
This 4G smartphone costs $219
Sep 3, 2014
It's possible to spend a lot less on a smartphone if you're prepared to go with a brand you ...
Looking for storage? Seagate has five new small business NAS devices
Aug 22, 2014
Seagate has announced a new portfolio of Networked Attached Storage (NAS) solutions specifically ...
Run a small business in western Sydney?
Aug 15, 2014
This event might be of interest if you're looking to meet other people with a similar interest ...
Buying a tablet? Microsoft's Surface Pro 3 goes on sale this month
Aug 8, 2014
Microsoft has announced its Surface Pro 3 will go on sale in Australia on 28 August from ...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  66%
 
Advanced persistent threats
  4%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1357

Vote