Bulletins Affect RDP, DNS Server, Kernel-Mode Drivers, and More
- These vulnerabilities affect: All current versions of Windows and components that ship with it (One flaw also affects Small Business Server 2003)
- How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets to vulnerable computers
- Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.
Today, Microsoft released four security bulletins describing seven vulnerabilities affecting Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.
- MS12-020: RDP Remote Code Execution and DoS Vulnerabilities
The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network, and to directly control their desktops. Windows Terminal Servers also use the RDP protocol to allow many remote users to share one machine.
Unfortunately, the RDP component that ships with all versions of Windows suffers from two vulnerabilities. The worst is a serious remote code execution flaw, having to do with how the RDP component processes specially crafted sequences of packets. By sending a sequence of such packets to a computer running the RDP service, an attacker could exploit this flaw to gain complete control of that computer. The RDP component also suffers from a less severe Denial of Service (DoS) flaw, which attackers could leverage to cause the RDP service to stop responding to new connections.
This RDP remote code execution flaw is a severe vulnerability. However, the RDP service is not enabled by default on Windows systems. You are only vulnerable to this issue if you have specifically enabled RDP connections. That said, many companies manage Windows Terminal Servers, which do have RDP services enabled. If you manage such servers, we highly recommend you apply the RDP updates immediately.
UPDATE: Microsoft’s Small Business Server (SBS) 2003 has a feature called Remote Web Workplace, which is also vulnerable to these RDP issues.
Microsoft rating: Critical
- MS12-017: DNS Server DoS Flaw
The Server versions of Windows ships with a DNS Server to allow administrators to offer Domain Name System services on their networks. This DNS Server suffers from a DoS vulnerability having to do with how it handles objects in memory when looking up DNS resource records. By sending your Windows DNS Server a specially crafted DNS request, an attacker could exploit this flaw to cause the DNS server to stop responding and reboot.
In general, people often consider DoS flaws less severe than, say, code execution flaws. However, if an attacker takes out your DNS server, he can essentially knock your network offline, as your users will not be able to browse the Internet using human-readable addresses. Though Microsoft only rates this bulletin as Important, we believe it fixes a fairly serious flaw for DNS administrators.
Microsoft rating: Important
- MS12-018: Kernel-Mode Driver Code Execution Vulnerability
The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers a serious code execution flaw, stemming from its lack of input validation when handling inputs passed via a particular Windows function (specifically PostMessage). By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.
Microsoft rating: Important
- MS12-019: DirectWrite DoS Vulnerability
DirectWrite is a Windows API, which developers can leverage to help their applications handle text in the Windows GUI. It suffers from a minor DoS vulnerability, caused by a flaw in the way it handles a specially crafted sequence Unicode characters. If an attacker can entice your users to view specially crafted Unicode content via an application that leverages the DirectWrite API, he could leverage this flaw to crash that application. Some applications that leverage DirectWrite include Internet Explorer and Windows Instant Messenger. Unlike the DNS Server DoS vulnerability described above, this flaw is not that severe. Attackers can only exploit it to crash one client application on a user’s machine. The user could then easily restart the application and avoid the content that crashed it.
Microsoft rating: Moderate.
Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.
The links below should take you directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links for the various updates:
For All WatchGuard Users:
Attackers can leverage these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. However, our appliances cannot protect you from local attacks. You should install Microsoft’s updates to completely protect yourself from these flaws.
That said, our appliances can mitigate the risk of the Windows RDP vulnerabilities. By default, WatchGuard’s XTM and Firebox appliances block external RDP access (Typically, TCP port 3389; SBS 2003 uses TCP port 4125). As long as you haven’t specifically allowed RDP, our default setting will prevent Internet-based attackers from exploiting these RDP flaws against your servers.
Furthermore, if you must allow external access to your Terminal Servers, you can also leverage WatchGuard’s Authentication feature to limit RDP access to users you trust. For more information on WatchGuard’s Authentication features, refer to this help page.
Microsoft has released patches correcting these issues.
- Microsoft Security Bulletin MS12-017
- Microsoft Security Bulletin MS12-018
- Microsoft Security Bulletin MS12-019
- Microsoft Security Bulletin MS12-020
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).
David Weston says
Per the security bulletin on the RDP flaw, SBS 2003 users who have opened port 4125 for Remote Web Workplace are also at risk.
Corey Nachreiner says
Great catch! I missed that small note in the MS bulletin, and didn’t think of it myself. I will go ahead and update the web version of this alert now.