Patch Analysis for March 2012

Of this month’s 6 security bulletins, the one marked critical is MS12-020. Only computers with RDP (remote desktop, terminal services) enabled are affected. Microsoft indicates that an exploit is likely to be successful. There are two vulnerabilities, the first and most critical can be prevented with Network Level Authentication since this is an un-authenticated attack. However the computer would still be vulnerability to a Denial of Service attack. Therefore we recommend deploying the patch after testing. If network level authentication is employed, computers without support for this will not be able to connect. Windows XP SP3 must have CredSSP turned on.

In general we recommend giving special attention to servers. The update with MS12-017 should be given a priority for DNS servers. In fact the update can only be installed on DNS servers. Therefore any new server that receives this role should get the update after the role is assigned.

MS12-018 tells of a vulnerability in the way the Windows kernel-mode driver manages the PostMessage function. All supported Windows computers should get the patch.

The vulnerability in MS12-019 is the only one this month that was previously publicly disclosed. This will have limited impact as in causes a DoS in Instant Messenger.

The vulnerability in MS12-022 is caused by insecure DLL loading by Expression Design (an illustration and graphic design tool)

Developers who use Visual Studio will want to apply the patch with bulletin MS12-021.

Patch Tuesday Coverage Made Possible By: Lumension:  IT Secured.  Success Optimized.™

Visit the Lumension Patch Tuesday Center

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS12-018

2641653
Privilege elevation

/ Windows kernel mode drivers
Workstations
Terminal Servers
No/NoNoImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS12-017

2647170
Denial of service

/ DNS Server
DNS Servers
No/NoYesImportant Server 2003
Server 2008
Server 2008 R2
Restart Req'dPatch after testing
MS12-022

2651018
Arbitrary code

/ Expression Design
Workstations
Terminal Servers
No/NoNoImportant Expression Design
 Patch after testing
MS12-021

2651019
Privilege elevation

/ Visual Studio
Terminal Servers
Developer Workstations
No/NoNoImportant Visual Studio 2008
Visual Studio 2010
 Patch after testing
MS12-019

2665364
Denial of service

/ DirectWrite
Workstations
Terminal Servers
Yes/NoNoModerate Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
 Patch after testing
MS12-020

2671387
Arbitrary code

/ RDP
Terminal Servers
No/NoNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.