Microsoft patches IE, RDP flaws

Powered by SC Magazine
 

Tackles certificate updates in the wake of Flame.

Microsoft has patched a nasty vulnerability in the Remote Desktop Protocol (RDP) and a string of vulnerabilities in Internet Explorer in its patch Tuesday updates for July.

Experts said the RDP hole was likely discovered while Redmond engineers were seeking an earlier, widely publisicised vulnerability in the protocol.

Microsoft marked two of the seven patches addressing 27 vulnerabilities as priorities for IT departments to deploy quickly. 

Among the high-priority fixes is MS12-037, which shores up a baker's dozen of security flaws affecting all supported versions of Internet Explorer.

Cumulative updates for the popular web browser are nearly always considered pressing because of the ease by which malware writers can use the defects to spread malware.

Users can be infected simply by viewing a malicious web page. In fact, one of the bugs being patched already is being exploited in the wild in limited attacks, said Wolfgang Kandek, CTO of vulnerability management firm Qualys.

"We consistently see browsers and their plug-ins as the primary attack vector for crimeware and advanced persistent threats," said Marcus Carey, senior researcher at Rapid7, which provides vulnerability management and penetration testing services.

Two of the 13 IE vulnerabilities were made public, including one that was disclosed by French security firm Vupen at the Pwn2Own hacker conference in Vancouver, British Columbia.

The other high-priority patch shipped on Tuesday is MS12-036, which corrects a privately reported bug in Windows' RDP.

It resembles the former wormable RDP vulnerability patched by Microsoft in March that enabled an uncredentialed attacker to access and install malicious code on a machine running RDP.

The incident turned into a bit of a public relations disaster for Microsoft after a proof-of-concept exploit turned up, leading to a Chinese firewall maker being booted from Microsoft's secret vulnerability sharing program.

No remote exploit ever was posted, only code to launch a denial-of-service attack, but the vulnerability patched in this update could "offer a more reliable attack vector for exploitation," Carey said, adding that many organisations, however, may be protected after disabling RDP in light of what happened in March.

"Today's RDP bug looks equally serious and was probably uncovered in the process of testing the previous RDP bug fixes," said Andrew Storms, who heads security operations at compliance and vulnerability management firm nCircle.

"Given the serious nature of the first RDP bug, it's not surprising that there was a lot of extra testing going on.

"And since today's patch release is conspicuously missing an acknowledgement for the bug finder, it seems safe to assume it was discovered by Microsoft staff."

The remainder of Tuesday's patches address issues considered of less significance, in Windows, Dynamics AX, .NET Framework and Lync.

Last week, Microsoft said it was planning to plug holes in Visual Basic in Office, but scrapped that patch for unknown reasons and added the fix for Lync, the company's unified communications solution.

In addition, Microsoft released a new automatic updater feature for untrusted certificates in Visa and Windows 7, in light of research that the skillfully built Flame espionage virus spread through illegitimately signed certificates.

"This new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted," Angela Gunn of Microsoft's Trustworthy Computing department wrote in a blog post.

"With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update."

Copyright © SC Magazine, US edition


Microsoft patches IE, RDP flaws
 
 
 
Top Stories
Government exploit vendor hacked, client data exposed
Update: Australian agencies potentially compromised.
 
Australia's digital crescendo
Barely unpacked from his move from Amsterdam, Southern Cross Austereo's new digital boss Vijay Solanki is looking for Australia's untapped potential.
 
Turnbull nabs UK govt digital guru as DTO chief
Inaugural CEO to lead change agenda.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Microsoft offering $500,000 in research grants for HoloLens
Jul 8, 2015
Microsoft wants to expand the professional uses of its augmented-reality system
Microsoft Tossup: The planning app for unorganised groups of friends
Jul 8, 2015
App allows friends to research venues, vote on plans and chat. And depending on how you run your ...
Windows 10 drops 29 July... but only for some
Jul 6, 2015
If you've reserved your copy of Windows 10 and are keenly awaiting its 29 July release, don't ...
Xerocon is heading to Melbourne!
Jul 1, 2015
We're not saying Xero is our FAVOURITE or anything, but Xero's 2015 Xerocon conference is being ...
New Microsoft Office apps for Android phones
Jun 26, 2015
Microsoft's latest Office apps for Android now work on phones as well as tablets, further ...
Latest Comments
Polls
Is site blocking effective in stopping piracy?


   |   View results
Yes
  2%
 
No
  86%
 
Somewhat
  12%
TOTAL VOTES: 887

Vote