March 2012 Patches - Remote Desktop Vulnerability

    Hi, Habr!
    Hurry up to see the post of our expert Kurt Baumgartner on the March "Tuesday of patches"!


    A portion of patches for March 2012 addresses a number of vulnerabilities in Microsoft technologies, including a bug in the Remote Desktop service ( pre-authentication ring0 use-after-free RCE ), a DoS vulnerability in Microsoft DNS Server, and several less critical local EoP vulnerabilities.

    Let's start by explaining to technically less savvy readers what Remote Desktop pre-auth ring0 use-after-free RCE is . Remote Desktop ( Remote Desktop) Is a service of remote access of users to a system running under Windows: a window opens in which the desktop of the computer to which you are connected is visible, as if you were physically sitting at that computer. Typically, a security system requires credentials. Unfortunately, the bug is such that a remote attacker who can connect via a network to the Remote Desktop service can successfully attack the system without entering credentials. ring0 means that vulnerable code exists deep in the Windows system, at the kernel level of the operating system. (For reference, most applications run at ring3 level , or in the so-called user mode). Use-after-free- This is a type of vulnerability that allows penetration into the system. As predicted several years ago, vulnerabilities of this type are extremely difficult to eradicate, although a huge number of vulnerabilities such as “stack overflow” and “dynamically allocated area overflow” have already been cleaned up by automatically checking the code and applying best code writing practices. Finally, “RCE” (remote code execution) is a type of exploit, the possibility of which is caused by the presence of a vulnerability: an attacker can deliver the malicious code he needs to the system and steal data. Thus we get " pre-auth ring0 use-after-free RCE ".

    Apparently, every time a small or medium-sized organization organizes a network, employees expect that they will be given the option of remote access. In turn, in organizations such a remote desktop service is often provided over public networks without using a VPN and without significant restrictions. You should adhere to best practices for using the remote desktop, which include stringent authentication requirements and distributed network access with differentiation of rights.

    Some enterprises and other large organizations continue to erect corporate protection bastions, while permitting the use of remote desktop. The problem is that laptops and mobile devices that support the protocol will somehow be used to access the network from cafes and other places with public WiFi networks, where they are at risk of a malicious attack due to the weak security policy set by the user. Then the infected device is brought back into the secure corporate network and from the inside infects a large number of systems over the network. To protect corporate networks where there may be delays in installing patches, Microsoft provides a tool that implements additional network-level authentication, protecting against exploitation of vulnerabilities.

    Last fall, we observed the Morto worm, which brute force selected passwords for publicly available remote desktop services of companies. The worm spread mainly due to the fact that the passwords for administrator accounts were extremely weak! After the incident with this worm, the professional community drew attention to the weak protection of remote desktop services. Obviously, this vulnerability needs to be patched immediately. The fact that this is a vulnerability like use-after-free on ring0 can complicate the situation, but Microsoft experts assigned the vulnerability a level of danger 1 - most likely, these characteristics will not prevent the exploit from appearing in the near future. So do not delay installing the patch for the CVE-2012-0002 vulnerability.

    Lastly, add that Microsoft DNS servers contain DoS vulnerabilities. Given the growing activity of hacktivists over the past year, enterprises and providers working with this software should pay attention to the urgency of installing patches for DNS servers. And, just in case, signs of an attack are an increase in the number of calls to your standard UDP protocol. Be careful!

    Also popular now: