March 13, 2012 11:55 AM (PT)
The nCircle VERT Alert is brought to you by nCircle VERT, nCircle's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.
Today's VERT Alert addresses 6 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-449 on Wednesday, March 14th.
| DNS Denial of Service Vulnerability | CVE-2012-0006 | |
| PostMessage Function Vulnerability | CVE-2012-0157 | |
| DirectWrite Application Denial of Service Vulnerability | CVE-2012-0156 | |
| Remote Desktop Protocol Vulnerability | CVE-2012-0002 | |
| Terminal Server Denial of Service Vulnerability | CVE-2012-0152 | |
| Visual Studio Add-In Vulnerability | CVE-2012-0008 | |
| Expression Design Insecure Library Loading Vulnerability | CVE-2012-0016 |
MS12-017
The first bulletin released today addresses a single vulnerability in Microsoft's DNS Server. Successfully exploiting this denial of service could lead to a full system restart. The problem occurs when a malicious query causes improper memory handling to occur.
MS12-018
The vulnerability fixed by MS12-018 is one that I would put on the list of "common culprits" that we expect to see on a regular basis. In this case, the "common culprit" is the Windows Kernel-Mode Drivers (Win32k.sys), and we're seeing another local privilege escalation. We saw win32k.sys patched last month and prior to that in December 2011, so this is clearly an expected patch for enterprises to deal with.
MS12-019
This may be the most surprising bulletin this month, simply because Microsoft rarely patches client side denial of service. This has the standard attack vectors (web based and email) but adds another, rarely seen, attack vector: Instant Messenger. A character combination sent to IM clients, such as Windows Live Messenger, can cause the client to hang.
MS12-020
The highest risk issue this month is, without a doubt, MS12-020. The attack vector we're talking about is a remote, unauthenticated service. While the word should not be used lightly, this definitely falls into the potentially wormable category and should be high on everyone's patch list. Microsoft has released an excellent blog post on this vulnerability, which includes details on how to change your settings to turn this remote, unauthenticated vulnerability into a remote, authenticated vulnerability. Please also note that every version of Windows is affected by this vulnerability.
MS12-021
This, less than critical, bulletin applies to Visual Studio, already minimizing the base of users affected by this issue. In addition, a user most be logged in and interacting with the system in order to exploit this vulnerability and escalate their privileges. Exploiting this vulnerability requires placing a malicious Visual Studio Add-In in the VS patch and waiting for someone with high privileges to run visual studio.
MS12-022
The last bulletin this month is our second "common culprit". This time we're seeing seldom mentioned software, Microsoft Expression Design, vulnerable to the increasingly common DLL Preloading attack. This default affected extensions, should you have Expression Design installed, are .xpr and .DESIGN.
As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
Ease of Use (published exploits) to Risk Table:
Automated Exploit |
|||||||
Easy |
|||||||
Moderate |
|||||||
Difficult |
|||||||
Extremely Difficult |
|||||||
No Known Exploit |
|||||||
Exposure |
Local Availability |
Local Access |
Remote Availability |
Remote Access |
Local Privileged |
Remote Privileged |
All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the nCircle website as new information surfaces: http://www.ncircle.com/index.php?s=resources_VERT-Alert.