Microsoft released six security bulletins to cover one critical, four important and one moderate flaw on its Patch Tuesday for March.
As revealed by SC Magazine, the patches will address seven issues in Microsoft Windows, Visual Studio and Expression Design.
Trustworthy Computing spokesperson Angela Gunn said: “We understand that our customers need time to evaluate and test all bulletins before applying them. To provide for a bit of scheduling flexibility, we're offering a one-click, no-reboot fix it that enables network-level authentication, an effective mitigation for this issue.
“It applies to Vista, Server 2008, Win7 and Server 2008R2 systems. You can read all about it on the SRD blog.”
Microsoft recommended focusing on the critical bulletin MS12-020 first as this patches a vulnerability in its Remote Desktop Protocol (RDP) implementation. Also patching a moderate-class issue, Microsoft said that it doesn't know of any active exploitation in the wild.
Wolfgang Kandek, CTO at Qualys, said: “RDP is a popular method for controlling remote Windows machines, however it is not active by default on standard Windows installations. It needs to be configured and started by the system's owner, which then makes the vulnerability accessible; consequently we expect that only a relatively small percentage of machines will have RDP up and running.
“The vulnerability itself is accessible through the network, does not require authentication and allows code execution on the targeted machine, a highly prized combination by attackers. Microsoft has rated its exploitability index as 1, meaning that they expect working exploits to be out in fewer than 30 days.”
Jason Miller, manager of research and development at VMware, said: “Although Microsoft is stating that most machines do not have RDP enabled by default, I know of many organisations that use RDP to troubleshoot machines.
“This bulletin simply scares me when it comes to protecting an environment from future attacks. This vulnerability has the real potential to become victim to a worm outbreak if it is not patched. Although this vulnerability may be difficult to exploit, I can assure you attackers will be working hard to create a valid attack against the vulnerability.”
Andrew Storms, director of security operations at nCircle, said: “The most common use for this tool is on servers in the data centre and that's quite serious. However, this feature is widely used by IT teams to support remote users, so it's often turned on in laptops and remote servers.
“This is also a very serious security issue for the millions of servers residing in public clouds because user-enabled RDP is likely to be the method for access.”
Tyler Reguly, technical manager of security research and development at nCircle, said: “Today might be the month to throw the patch rulebook out the window and install this patch faster than your enterprise patch cycle normally allows. It's critical that enterprises apply the MS12-020 patch as quickly as possible. I'm surprised that Microsoft waited to release MS12-020 during their normal patch cycle.”
Looking at the other patches, Reguly said that as they are for DLL Preloading and Local Privilege Escalation flaws, this was a normal and rather generic Patch Tuesday.
Kandek said: “Microsoft's five other vulnerabilities are less severe and should be applied within your normal patch cycles if the involved software is installed. For example, MS12-017 is a denial-of-service attack against Microsoft DNS server; MS12-022 is a DLL preloading attack against Expression Design; and MS12-021 is an add-in weakness in Visual Studio.”