March 2012 Microsoft Super Tuesday
Posted by Shane Garrett on March 13, 2012 at 1:40 PM EDT.
March was a light month for updates from Microsoft. Even so, there were three issues that are remotely exploitable that deserve special attention.
- MS12-020 : Vulnerabilities in Remote Desktop Could Allow Remote Code Execution
Two CVEs were addressed in the Critical update to Remote Desktop/Terminal Services. This update should definitely be applied, especially if you have RDP enabled for machines that are directly accessible via the Internet.
CVE-2012-0002 covers a vulnerability that affects all versions of Windows and could be exploited for denial of service or remote code execution. Specially crafted RDP packets can be sent to the server causing a use-after-free situation. The vulnerable code is in a driver so this can lead to a bugcheck or possibly code execution in the context of the kernel. If Network Level Authentication is enabled in Windows 7 and 2008 environments then the attacker would need valid credentials, otherwise this attack can be performed unauthenticated.
CVE-2012-0152 covers a denial of service vulnerability that affects the Terminal Server services on Windows 7 and 2008. An attacker using readily available tools can cause the service to stop responding due to a flaw in how the service handles connections.
- MS12-017 : Vulnerability in DNS Server Could Allow Denial of Service
This bulletin covers a privately reported vulnerability in the DNS Server software in Microsoft Windows 2003 and 2008, x86 and x64 versions. A memory leak exists when handling certain types of DNS query responses that can lead to the DNS Server process using a large amount of memory. The memory exhaustion can cause system performance issues as well as causing the DNS Server process to stop responding. Fortunately, the DNS Server can often recover from a memory exhaustion scenario by restarting. If you are using Windows as a DNS server it's recommended to apply this update.