Microsoft patches second RDP hole, IE bugs

Powered by SC Magazine
 

Baker's dozen of flaws found in Internet Explorer.

Microsoft has patched a nasty vulnerability in the Remote Desktop Protocol (RDP) and a string of vulnerabilities in Internet Explorer in its latest patch updates.

Experts said the RDP hole was likely discovered while Redmond engineers were seeking an earlier widely publisicised vulnerability in the protocol.

Microsoft marked two of the seven patches addressing 27 vulnerabilities as priorities for IT departments to deploy quickly. 

Among the high-priority fixes is MS12-037, which shores up a baker's dozen of security flaws affecting all supported versions of Internet Explorer.

Cumulative updates for the popular web browser are nearly always considered pressing because of the ease by which malware writers can use the defects to spread malware.

Users can be infected simply by viewing a malicious web page. In fact, one of the bugs being patched already is being exploited in the wild in limited attacks, said Wolfgang Kandek, CTO of vulnerability management firm Qualys.

"We consistently see browsers and their plug-ins as the primary attack vector for crimeware and advanced persistent threats," said Marcus Carey, senior researcher at Rapid7, which provides vulnerability management and penetration testing services.

Two of the 13 IE vulnerabilities were made public, including one that was disclosed by French security firm Vupen at the Pwn2Own hacker conference in Vancouver, British Columbia.

The other high-priority patch shipped on Tuesday is MS12-036, which corrects a privately reported bug in Windows' RDP.

It resembles the former wormable RDP vulnerability patched by Microsoft in March that enabled an uncredentialed attacker to access and install malicious code on a machine running RDP.

The incident turned into a bit of a public relations disaster for Microsoft after a proof-of-concept exploit turned up, leading to a Chinese firewall maker being booted from Microsoft's secret vulnerability sharing program.

No remote exploit ever was posted, only code to launch a denial-of-service attack, but the vulnerability patched in this update could "offer a more reliable attack vector for exploitation," Carey said, adding that many organisations, however, may be protected after disabling RDP in light of what happened in March.

"Today's RDP bug looks equally serious and was probably uncovered in the process of testing the previous RDP bug fixes," said Andrew Storms, who heads security operations at compliance and vulnerability management firm nCircle.

"Given the serious nature of the first RDP bug, it's not surprising that there was a lot of extra testing going on. And since today's patch release is conspicuously missing an acknowledgement for the bug finder, it seems safe to assume it was discovered by Microsoft staff."

The remainder of Tuesday's patches address issues considered of less significance, in Windows, Dynamics AX, .NET Framework and Lync. Last week, Microsoft said it was planning to plug holes in Visual Basic in Office, but scrapped that patch for unknown reasons and added the fix for Lync, the company's unified communications solution.

In addition, Microsoft released a new automatic updater feature for untrusted certificates in Visa and Windows 7, in light of research that the skillfully built Flame espionage virus spread through illegitimately signed certs.

"This new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted," Angela Gunn of Microsoft's Trustworthy Computing department wrote in a blog post. "With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update."

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Microsoft patches second RDP hole, IE bugs
 
 
 
Top Stories
First look: Microsoft Outlook for iOS
[Update] Office productivity suite for iOS completed with Outlook.
 
NewSat defaults on $26m in overdue Lockheed payments
Jabiru-1 satellite build hits further hurdles.
 
IBM denies plans to cut 112k jobs
But admits to further restructuring.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Microsoft Outlook is now on iPhone and iPad: why could this be useful?
Jan 30, 2015
Microsoft today released Office for Android and Outlook for iOS - complementing the other Office ...
Franchisees, here's something you should know about
Jan 23, 2015
You need to know the Code if you are a franchisee or franchisor as the penalties are significant.
Xero users rejoice! Quoting has finally arrived
Jan 23, 2015
It has taken years, but Xero has at last added integrated quoting to its online accounting software.
You can now get a no-contract wi-fi tablet from Telstra
Jan 17, 2015
Telstra has began selling wi-fi tablets out of contract without paying extra for cellular ...
Get your business ready for 2015: mobile payments
Jan 2, 2015
These handy apps from MYOB, Xero and others can reduce your administrative load and improve ...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  36%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 3093

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 986

Vote