Hi, Habr!
Hurry to see the post of our expert Kurt Baumgartner on the March Tuesday Patch!
The March 2012 portion of patches fixes a number of vulnerabilities in Microsoft technologies, including a bug in the Remote Desktop service (
pre-authentication ring0 use-after-free RCE ), a DoS vulnerability in the Microsoft DNS Server and several less critical local EoP vulnerabilities.
Let me start by explaining to technically less savvy readers what a
Remote Desktop is pre-auth ring0 use-after-free RCE .
Remote Desktop is a remote user access service for a Windows-based system: a window opens in which you can see the desktop of the computer to which you are connected, as if you are physically sitting at this computer. Typically, the security system requires you to enter credentials. Unfortunately, the bug is such that a remote attacker who can connect to the remote desktop service over the network can successfully attack the system without entering credentials.
ring0 means that the vulnerable code exists deep in the Windows system, at the kernel level of the operating system. (For reference, most applications run at the
ring3 level, or in the so-called user mode).
Use-after-free is a type of vulnerability that allows system penetration. As predicted several years ago, vulnerabilities of this type are extremely difficult to eradicate, although a huge number of vulnerabilities like “stack overflow” and “overflow in a dynamically allocated area” have already been cleaned up by automatically checking the code and applying best code writing practices. Finally, “RCE” (remote code execution) is the type of exploit that is caused by the presence of a vulnerability: an attacker can deliver the malicious code he needs to the system and steal data. Thus we get "
pre-auth ring0 use-after-free RCE ".
')
Apparently, every time a small or medium-sized organization organizes a network, employees expect them to be given remote access. In turn, in organizations such a remote desktop service is often provided through public networks without using a VPN and without significant restrictions. Best practices for using remote desktop should be followed, which include stringent authentication requirements and distributed network access with permissions.
Some enterprises and other large organizations are still building bastions of corporate protection, while allowing the use of a remote desktop. The problem is that laptops and mobile devices that support the protocol will somehow be used to access the network from cafes and other places with public WiFi networks where they are at risk of malicious attacks due to a weak security policy set by the user. Then the infected device is brought back into the protected corporate network and from the inside infects a large number of systems over the network. To protect corporate networks in which there may be delays in installing patches, Microsoft provides a tool that implements additional authentication of the network layer, protecting against exploitation of vulnerabilities.
Last fall, we watched the Morto worm, which searched through passwords to publicly available services of remote desktop companies. The worm spreads mainly due to the fact that passwords to administrator accounts were extremely weak! After the incident with this worm in the professional community, attention was drawn to the weak protection of remote desktop services. Obviously, this vulnerability needs to be patched immediately. The fact that this is a use-after-free vulnerability on ring0 may complicate the situation, but Microsoft assigned vulnerability level 1 to vulnerability - most likely, these characteristics will not prevent the exploit from appearing in the near future. So do not delay the installation of the patch to the CVE-2012-0002 vulnerability.
Finally, we add that Microsoft DNS servers contain DoS vulnerabilities. Given the increased activity of hacktivists over the past year, businesses and providers working with this software should pay attention to the urgency of installing patches for DNS servers. And just in case, the signs of an attack are an increase in the number of calls to your standard UDP protocol. Be careful!