Microsoft closes critical RDP hole in Windows
Microsoft has released six security bulletins to close a total of seven holes in its products. According to the company, one of the bulletins (MS12-020), rated as critical, addresses two privately reported vulnerabilities in its implementation of the Remote Desktop Protocol (RDP).
The first of these is a "critical-class" issue in RDP that could be exploited by an attacker to remotely execute arbitrary code on a victim's system. Although RDP is disabled by default, many users enable it so they can administer their systems remotely within their organisations or over the internet. All supported versions of Windows from Windows XP Service Pack 3 to Windows 7 Service Pack 1 and Windows Server 2008 R2 are affected.
As the issue was reported to company by the Zero Day Initiative (ZDI), Microsoft says that it has yet to see any active attacks exploiting these in the wild, but warns that, "due to the attractiveness of this vulnerability to attackers", it anticipates "that an exploit for code execution will be developed in the next 30 days". Because of this it recommends that installing the updates should be made a priority.
However, as some customers "need time to evaluate and test all bulletins before applying them", Microsoft has also provided a workaround and a no-reboot "Fix it" tool that enables Network-Level Authentication (NLA) to mitigate the problem. A second "moderate-class" denial-of-service (DoS) which can cripple an RDP server was also fixed.
Another vulnerability is fixed in bulletin MS12-018 which provides a patch for a privilege escalation issue in all versions of Windows that could allow a user with limited rights to run arbitrary code in kernel mode, that is, with system privileges. The vulnerability exists in the PostMessage function of the kernel-mode driver in win32k.sys. Microsoft's bulletin MS12-019 addresses a denial of service vulnerability in DirectX's DirectWrite where trying to render a particular sequence of Unicode characters can lock up an application; the bug affects Vista and later versions of Windows.
Administrators who run a Windows server will want to download the patch from MS12-017 which addresses a DoS vulnerability in Windows Server's DNS service. Developers should take note of MS12-021, which describes and fixes a privilege escalation vulnerability when loading plugins in Visual Studio, and MS12-022, which fixes what appears to be a binary planting vulnerability in Expression Design.
An overview of all of these updates, including descriptions about each of the vulnerabilities, can be found in Microsoft's Security Bulletin Summary for March 2012.