Malware, Network Security, Patch/Configuration Management, Vulnerability Management

Flaw in Microsoft tool that enables remote connect is patched

Microsoft on Tuesday released six patches to address seven vulnerabilities across its product line, but one of the fixes stole the spotlight.

Bulletin MS12-020 is the only one that is rated "critical," and it patches two privately reported bugs in Remote Desktop Protocol (RDP), a tool commonly used by administrators to remotely connect to other computers.

The more severe of the two flaws -- which affects all versions of Windows -- enables an attacker to, without credentials, remotely access and install malicious code on a machine running RDP, if it does not have network-level authentication enabled.

Live attacks soon are expected, according to Microsoft.

"Note that [the vulnerability] was privately reported and we are not aware of any attacks in the wild," according to a Microsoft Security Research & Defense blog post. "Additionally, [RDP] is disabled by default. However, due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days."

Security experts said Tuesday that the threat of a worm spread is particularly high for small and midsize businesses, which often lack protections, such as a VPN, for employee endpoints that remotely connect to the corporate network.

"The problem is that RDP-enabled mobile laptops and devices will make their way to coffee shops or other public WI-Fi networks, where a user may configure a weak connection policy, exposing the laptop to attack risk," wrote Kurt Baumgartner, a senior security researcher with Kaspersky Lab, in a Tuesday blog post. "Once infected, they bring back the laptop within the 'walled castle' and infect large volumes of other connected systems from within."

The prevalence of cloud deployments also makes the vulnerability a pressing concern, said Andrew Storms, director of security operations at vulnerability management firm nCircle.

"This is also a very serious security issue for the millions of servers residing in public clouds because user-enabled RDP is likely to be a method for access," he said.

Baumgartner cited the worm Morto, which propagated last summer and fall, as an example of what can happen when there is a weakness in RDP.

Experts who analyzed Tuesday's security update agreed that organizations should immediately apply the patch. However, Microsoft, recognizing that some are slow to apply fixes, also made available a "one-click, no-reboot Fix-It that enables network-level authentication, an effective mitigation for this issue."

Microsoft on Tuesday also shipped five other patches, four rated "important" and one "moderate," which address issues in Windows, Visual Studio or Expression Design.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.