Patch Tuesday June 2012: RDP broken, again. Stuxnet TTF, again.
Overview
This is shaping up to be an interesting Patch Tuesday with critical vulnerabilities being released across a combination of operating system components and client applications. In total there are 7 Microsoft Security Bulletins covering 26 distinct vulnerabilities in this June 2012 Microsoft Patch Tuesday. More than half of these vulnerabilities are rated as being likely to be exploited by Microsoft. On top of all of the vulnerability fixes Microsoft has also added an automatic updater capability for determining if a system has any certificates that are no longer trustworthy. This shows an increasing seriousness at which Microsoft is looking at the variety of certificate related vulnerabilities that have plagued its customers over the last few years.
RDP Broken Again
The bulletin that will probably get the most attention is MS12-036, which covers a vulnerability within Microsoft’s Remote Desktop. This is coming on the heels of a previous RDP vulnerability that made a lot of news this last March, (MS12-020). Now before everyone goes and says the sky is falling, it is important to step back and get perspective on the previous RDP flaw and the fact that there still has not been a public exploit for it beyond sample DoS “exploits.” While any RDP vulnerability rated as “exploit code likely” by Microsoft should be taken very seriously, there is still more of a chance that the average IT environment will continue to be hit by drive-by client application style exploits.
Internet Explorer Drive-by
That brings us to MS12-037 which is a bulletin that covers more than 13 different Internet Explorer vulnerabilities across all versions of Internet Explorer. This is probably one of the most severe bulletins because exploit code is likely to be created for one or more of these vulnerabilities, which leads to the potential for drive-by malware attacks across all versions of Internet Explorer. This, in our opinion, is one of the more important set of patches to roll out as soon as possible.
Update
MS12-037 fixes an 0day discovered by the guys over at Vupen. This 0day was used successfully to win the most recent pwn2own contest.
Stuxnet/Duqu TrueType Font, awesome.
Our favorite bulletin for this June Patch Tuesday is MS12-039, which fixes a variety of vulnerabilities within Microsoft’s Lync client, but most interestingly fixes a vulnerable TrueType Font parsing code reuse flaw. Some of you might remember that one of the zerodays that Stuxnet and Duqu used was a kernel privilege escalation vulnerability that leveraged a flaw in the parsing of TrueType Fonts. This original zeroday was fixed by Microsoft in security bulletin MS11-087. Then last month we saw Microsoft release another bulletin (MS12-034) that covered this same TrueType Font parsing vulnerability, CVE-2011-3402. It turns out that developers at Microsoft had reused the same vulnerable TrueType Font parsing code within multiple different products. In order to find other places where this code might have been reused Microsoft created an internal system called “Cloned Code Detection.” This system is what was able to find those other vulnerable TTF code reuse issues fixed in MS12-034.
Now here we are 7 months after the original Stuxnet/Duqu fix for TrueType Font parsing and this same code reuse bug has reared its ugly head except this time within Microsoft’s Lync. It could be that the “Cloned Code Detection” system has had some tweaks to it that allowed it to find more instances of this code reuse or it could be that Lync in all its goofy chat glory was the forgotten product that simply never had this tool run against it. Either way, for the Microsoft developer who seemingly wrote the vulnerable TrueType Font parsing code and posted it on the Microsoft Cafeteria whiteboard for everyone to copy, they should feel confident that while this TTF parsing code is the gift that keeps on giving, it is still nowhere near the constant gift that DLL Hijacking has been.
Outro
All in all, there are some very critical vulnerabilities this month including privilege escalation in MS12-041 and MS12-042, a remote code execution in the .NET Framework (MS12-038) and even a bulletin covering Microsoft’s Dynamics AX ERP solution.
The two most important bulletins are MS12-037 for Internet Explorer and MS12-036 for Remote Desktop. Currently the Internet Explorer vulnerabilities appear to be a more immediately exploitable threat but given the value of Remote Code Execution on RDP there will surely be a lot of folks trying to weaponize that vulnerability. Only time will tell if people are successful with this RDP flaw where they were not with the one in March.
Join Tomorrow’s Vulnerability Expert Forum
Remember to join us tomorrow at 1pm PDT for our monthly Patch Tuesday assessment where we’ll discuss more in depth, the Microsoft bulletins, as well as a recap on the Flame malware. Sign up here.
*Note: If you are ready to answer the VEF question surrounding our Kindle Giveaway, you’ve reached the right spot. Please post your comments below. We will select a Kindle winner within the next few weeks.*
Permanent Link
The media hype about Stuxnet did not affect my reaction to Flame at all. It’s just another exploit in the never-ending list of exploits that we will have to live with for the rest of our lives.
I think the media hype did cause me to react more quickly to Flame, and I think this was good. Basically it caused me to more quickly access the nature of the vulnerability to see if it was a concern for the systems I support.
This is a post following the Vulnerability Expert Forum June 2012 webinar.
Flame did prompt a lot of questions from management. The first thing we did was to look for trustworthy sources to cut through the hype.
At the time, the following article really helped recenter the debate,
http://nakedsecurity.sophos.com/2012/05/29/flame-malware-the-biggest-the-baddest-a-little-perspective/
Regards,
Philippe
Stuxnet, Aurora and Zeus helped nudge us out of the malware coma we’d fallen into.
The non-stop droning we’d heard, primarily from security companies, plotting the increases in the number of malwares helped us to drop into that coma. If we need to deal with 1200% increases in malwares – 83 million per quarter! McAfee reported recently – well, we aren’t really going to deal with that. It was easy to lump them all into one basket and then assume endpoint protection was doing a good enough job with that basket.
But seeing the sophistication of the Stuxnet, Aurora and Zeus attacks was like seeing the first shots of laser-guided missles; it was obvious that this was a departure from old school carpet bombing. And it was the in-depth reporting about these threats, that I suppose you could call media hype, that helped us realize our users would be targets of laser-guided malware that was markedly different from everything else in the basket.
The coverage of these events also helped raise attention where we always need it the most – from the business. They’re curious enough about how these attacks take place that they’ve read the articles and are interested in what we’ve done to increase protection, and want to know if they can be doing something themselves.
So when information about Flame became available we immediately started following it, and when recommendations and remediations became available we were eager consumers.
The media hype surrounding Stuxnet did indeed cause me to react differently when I first heard about Flame. When the May 28 headline on Wired.com declared “Flame: a cyber weapon that makes Stuxnet look cheap” I knew I could send the article to even my most non-security minded friends and they would eagerly read it and understand the importance of Flame. With media attention giving Stuxnet widespread “brand recognition” as the first cyber-weapon I was able to use it as an entry point to the whole “security is really important and stuff” conversation with people who in the past would have died of boredom at the thought of discussing security issues that don’t impact them directly. Had I sent my girlfriend an article with the headline “Flame: a cyber weapon that makes Duqu look cheap” it would have ended up in the trash next to the recent PCWorld article “Mac Malware Outbreak Is Bigger than ‘Conficker’” which she deleted a few days before announcing “I have some virus called “Flashback” what is that?”
I think that all of the hype behind Stuxnet did change the way that I viewed Flame. When details of Stuxnet came out, I couldn’t believe the lengths that the creators had gone to in order to get access to, report back from, and then manipulate the air-gapped equipment. It really illustrated how far well-funded organizations could go in order to hit their target. It was not as big of a surprise then when Duqu and now Flame came out because we knew it could be done. The reaction then was, holy cow, this could be much more widespread than initially thought……what else could still be out there. There are many state-sponsored groups out there that we have no idea what they’ve been into along these lines. For me this emphasizes once again that if someone wants access bad enough, they will stop at nothing to get that access. This is why we practice defense-in-depth and go to extreme lengths to protect and monitor our most important data. It is not enough to pick one product, sit it out there, and let it go.
As Stuxnet was the 1st one discovered and published in the media, the new flavor we faced was less surprising. For sure, the new one could affect more computer that Stuxnet but we are now prepared to this new virus generation.
with such new virus proliferation and intelligence, we are now less protected to attack, whatever we could try to do to be protected.
with Stuxnet presentation in the media, new virus of this kind are more prooving the new risks. What is new for all virus discovered as Flame is to get the details of the proliferation way and the mitigate solution (if there are any…)
Stuxnet was the 1st not the last.. after having seen the complexity and efficiency of the virus, all the new one which are discovered and published are showing more tips and breaches to get access to the computer. As we are now inform of these new exploits, Flame is just seen as another flavor of the security risk and attack we will have to face in the future, and not only from Agencies but from hacker team or corporation…
No. It’s just another of the endless line of poor code writing techniques and poor discipline/vulnerabilities that MS is so well known for producing. It’s good to be King if you are King. MS does not mind hitting the public up every 2 – 4 years for new expensive versions/updates of their various SW products but they continue to use the average consumer as their real beta testers.