Microsoft released its six security bulletins for the month of March yesterday in what has been called "a flashback of the bad old Patch Tuesdays".
One patch in particular is cause for concern given the worm-like capabilities of the exploit it addresses, according to experts from security performance management firm nCircle. Andrew Storms, the company's director of security operations, says the lone critical patch - MS12-020 - makes today a "red alert day for IT security" because the bug could grant an attacker access to the Remote Desktop Protocol used to grant remote users access to servers in the data centre.
The threat was given the highest rating on Microsoft's exploitability index, meaning that the exploit is an "attractive target for attackers" because they "could consistently exploit that vulnerability," according to Microsoft. Wolfgang Kandek, CTO at security solution firm Qualys, says this rating means working exploits are likely to be released in fewer than 30 days.
"It's probably the first patch this year that really raises eyebrows," Kandek says. "Attackers really appreciate this type of vulnerability where you can access it through the network and you don't need to social engineer anybody to get credentials. Just by having a machine on the network with that service running you can get control of it."
Tyler Reguly, technical manager of security research and development for nCircle, urged Microsoft customers affected by the RDP threat "to throw the patch rulebook out the window and install MS12-020 faster than your enterprise patch cycle normally allows." Indeed, system administrators should "patch this one immediately, if not sooner," Storms added, advising those who cannot install the patch to enable network-level authentication in RDP to reduce the attack surface until they can.
Even though MS12-020 addresses "privately reported vulnerabilities," Reguly says he is "surprised that Microsoft waited to release MS12-020 during its normal patch cycle."
However, the critical patch is the only one that makes this Patch Tuesday anything but a "pretty light month," Kandek says. Those other patches, which address denial of service and elevation of privilege vulnerabilities in Windows and Visual Studio, as well as a remote code execution exploit in Expression Design, can be applied within the normal patch cycle, Kandek says.
"In other words, without MS12-020, this is a completely normal and rather generic Patch Tuesday," Reguly says.
Until this month, Microsoft's Patch Tuesdays have been little more than normal and generic in 2012, with a steady decrease in critical exploits making for a more positive security outlook for Microsoft.
"I think they're doing a better job. They've got the processes in place to better manage their software development in line with security," says Paul Henry, forensic and security analyst at Lumension. "They really have put a great deal of effort into this, and if you look at the longer-term trend, I think they're really starting to bear some fruit from it."
However, although Kandek acknowledged that the critical patch is the most severe Microsoft has seen this year, he believes it will ultimately amount to little more than a bump in the road in Microsoft's pursuit of widespread security advances. Especially given that RDP is "relatively old software," Kandek believes that the threat does not accurately reflect Microsoft's recent security work.
"We see that every once in a while one of the available network services has a weakness that can be used by an attacker," he says. "It's older software that was developed and designed before security was really focused on by Microsoft, so it's not too surprising that this happened."
Above all else, Kandek believes the sudden emergence of a severe vulnerability for an outdated Microsoft product is a sign that customers will need to upgrade in order to reap the benefits of the vendor's work in security.
"The newest version is the NLA protocol, and that is actually working, it does not have the vulnerability," Kandek says. "So that's the positive side effect there. It just illustrates that the more legacy things we use, the more exposures will be found in the software."