Microsoft’s Patch Tuesday Focuses on Critical RDP Patch

March 2012 Patch Tuesday might be light on actual bulletins—there are six—but
security researchers are nonetheless advising companies to fix the “critical”
one posthaste.

That critical
bulletin, MS12-020 (Windows) addresses an issue in Remote Desktop Protocol
(RDP). While Microsoft insisted in a March 13 posting on the Microsoft
Security Response Center
blog that “we know of no active
exploitation in the wild,” it also advised that “customers examine and prepare
to apply this bulletin as soon as possible.” As it stands, the vulnerability
allows an attacker to achieve remote-code execution; Microsoft is offering a
one-click, no-reboot fix-it “that enables Network-Level Authentication, an
effective mitigation for this issue.”

Of the five other
bulletins, two are rated “important” and relate to Expression Design (MS12-022)
and Visual Studio (MS12-018). Two other important ones apply to different
configurations of Windows and Windows Server, and focus on Kernel (MS12-018)
and Domain Name System (DNS) (MS12-017). The last, rated “moderate,” deals with
DirectWrite (MS12-019). 

But outside
analysts hammered home Microsoft’s point about the urgency in patching the RDP

“Last fall we
saw the RDP worm Morto attacking publicly exposed Remote Desktop services
across businesses of all sizes with brute-force password guessing,” Kurt
Baumgartner, senior security researcher for Kaspersky Lab, wrote in a March 13
posting on Securelist. “The Morto worm incident brought
attention to poorly secured RDP services. Accordingly, this Remote Desktop
vulnerability must be patched immediately.”

he added, most companies fail to sufficiently secure their RDP services. “It
seems to me that every time a small and medium-sized organization runs a
network, the employees or members expect remote access,” he wrote. “In turn,
this Remote Desktop service is frequently exposed to public networks with lazy,
no-VPN or restricted communications at these sized organizations.”

Instead, he
advised, “RDP best practices should be followed requiring strong authentication
credentials and compartmentalized, restricted network access.”

Other analysts
agreed with that assessment. “This patch should be your highest priority if you
use RDP,” wrote Paul Henry, security and forensic analyst at Lumension, in
reference to MS12-020.

should disable RDP when not needed, added Marcus Carey, security researcher at
Rapid7. “Organizations should also apply appropriate ingress firewall rules
where they can,” he wrote. “Organizations should be ready to test and deploy
the patch as soon as possible. RDP is not enabled by default, but many times it
is turned on for administration tasks and just left enabled.”

Follow Nicholas Kolakowski on Twitter 


Article source:


  1. No comments yet.
(will not be published)