BeyondTrust Patch Tuesday
March 13, 2012
Microsoft Patch Summary
This month, Microsoft released six bulletins that fix a total of seven vulnerabilities. Of these vulnerabilities, there were two remote code execution vulnerabilities, two elevation of privilege vulnerabilities, and three denial of service vulnerabilities.
Patch MS12-020 immediately to prevent exploitation by attackers. Patch MS12-017, MS12-018, MS12-021, and MS12-022 as soon as possible. Patch MS12-019 at the earliest convenience. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
- Web Event: Vulnerability Expert Forum (VEF)
- Presenters: The eEye Research Team
- Date/Time:
Wednesday, March 14th
1pm PT / 4pm ET / 9pm GMT
BULLETIN / ADVISORY DETAILS
MS12-017
Vulnerability in DNS Server Could Allow Denial of Service (2647170)
Microsoft Rating:
CVE:
CVE-2012-0006
Analysis:
This bulletin addresses a privately reported denial of service vulnerability in the Microsoft Windows DNS implementation. The patch fixes the DNS server's cache functionality with respect to how the server handles objects in memory during the process of looking up a resource record. An attacker that successfully exploited this vulnerability would be able to force a target machine to restart.
Recommendation:
Deploy patches as soon as possible. Until the patch can be installed, periodically clear the DNS cache.
MS12-018
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)
Microsoft Rating:
CVE:
CVE-2012-0157
Analysis:
This bulletin addresses a privately reported elevation of privilege vulnerability in the Windows kernel. The patch fixes the vulnerable kernel driver, which fails to properly handle data received via a call to the PostMessage function. A local attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.
Recommendation:
Deploy patches as soon as possible; no mitigation is available.
MS12-019
Vulnerability in DirectWrite Could Allow Denial of Service (2665364)
Microsoft Rating:
CVE:
CVE-2012-0156
Analysis:
This bulletin addresses a publicly reported denial of service vulnerability in Microsoft DirectWrite. The patch fixes how DirectWrite handles certain sequences of Unicode characters. An attacker that successfully exploited this vulnerability would be able to cause programs that parsed certain Unicode character sequences to become unresponsive.
Recommendation:
Deploy patches as soon as possible; no mitigation is available.
MS12-020
Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
Microsoft Rating:
CVE List:
CVE-2012-0002 and CVE-2012-0152
Analysis:
This bulletin addresses two privately reported vulnerabilities within Remote Desktop: a remote code execution vulnerability and a denial of service vulnerability. The patch fixes how memory is accessed after receiving certain sequences of RDP packets. To exploit the RCE vulnerability on systems that have Network Level Authentication enabled, attackers will need to authenticate with the target system (either through the use of valid login credentials or through the use of a separate exploit). A remote attacker that successfully exploited the RCE vulnerability would gain System level access to the target machine.
Recommendation:
Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, turn on Network Level Authentication for supported systems (Vista, 7, Server 2008, Server 2008 R2). Additionally, block port 3389 at the perimeter firewall and disable any remote services if they are not necessary, such as Terminal Services, Remote Desktop, Remote Assistance, and/or Remote Web Workplace.
MS12-021
Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019)
Microsoft Rating:
CVE:
CVE-2012-0008
Analysis:
This bulletin addresses a privately reported elevation of privilege vulnerability in Microsoft Visual Studio. The patch fixes how Visual Studio loads add-ins by preventing add-ins from being loaded from insecure file locations. A local non-administrator attacker could exploit this vulnerability by placing a malicious add-in in an insecure file location. When an administrator loads Visual Studio, the attacker’s add-in would be loaded and executed with administrator privileges.
Recommendation:
Deploy patches as soon as possible; no mitigation is available.
MS12-022
Vulnerability in Expression Design Could Allow Remote Code Execution (2651018)
Microsoft Rating:
CVE:
CVE-2012-0016
Analysis:
This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Expression Design. The patch fixes an insecure library loading vulnerability that occurs when opening files with a XPR or DESIGN file extension. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendation:
Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 at the perimeter firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.
Feedback
The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.
Disclaimer
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.