Norman Safeground Blogs

insight, opinion & information


Patch Tuesday Targets Critical Windows Bug

Yesterday it was time for Microsoft’s monthly ritual, Patch Tuesday, when Microsoft released  a regularly scheduled batch of security fixes. This month’s list of fixes is unusually mild –six bulletins that fix six vulnerabilities and Microsoft only classifies one as critical.

Although March’s Patch Tuesday is light, the addition of six bulletins makes a total of 22 bulletins, an almost 30% increase from the same time in 2011. The number of patches is up, but severity is declining. In 2011, Microsoft ranked 32 of its 100 patches critical; to date in 2012, 6 of the 22 bulletins have been critical. At the current rate, there will be a 25% decrease in critical fixes, which should be welcome news for administrators.

The majority of March’s bulletins, four in total, fix vulnerabilities in the operating system. The remaining two bulletins, classified as important, impact development tools Visual Studio and Expression design. The only critical bulletin, MS12-020, fixes a vulnerability in Microsoft’s implementation of Remote Desktop Protocol (RDP). The vulnerability allows remote, unauthenticated attackers to breach a system and run arbitrary code. The issue impacts most version of Windows and can be exploited over the network if RDP is enabled; systems that don’t have RDP enabled aren’t at risk. In addition to a critical severity, MS12-020 also has an exploitability classification of 1 (exploit code likely), which means administrators only have a small window to patch their systems before exploits appear in the wild.

In addition to this issue, there are two important and one moderate patches for Windows:

  • MS12-017 – Corrects a DNS Server flaw that could allow denial of service attacks in all supported editions of Windows Server 2003, 32-bit and x64-based editions of Windows Server 2008, and x64-based editions of Windows Server 2008 R2.
  • MS12-018 – Fixes vulnerability in Windows Kernel Mode Drivers that allows privilege elevation. The issue exists in all supported versions of Windows
  • MS12-019 – Patches a hole in the DirectX API, DirectWrite that could enable a denial of service attack. The hole exists in all supported editions of Windows Vista, Windows Server 2008 (except Windows Server 2008 for Itanium-based Systems), Windows 7, and Windows Server 2008 R2.

The remaining two bulletins, MS12-021 and MS12-022 have important ratings and impact two of Microsoft’s development tools. Surprisingly, there are no patches for Microsoft Office this month. Additional detailed information about March’s bulletins is available on Technet.

The Impact of March’s Patch Tuesday

In addition to fixing issues, Mozilla cited this month’s Patch Tuesday as the reason for delaying its release of Firefox 11. Mozilla originally scheduled the release for March 13, but Monday it was announced there would be no official roll out of the update on Tuesday. A blog entry by Senior Director of Firefox Engineering, Jonathan Nightingale, listed two reasons for the delay”

  • Possible negative impacts to the Firefox 11 due to Microsoft’s security patches
  • A possible security vulnerability in Firefox

An update to the article indicated the security vulnerability had been resolved and that Mozilla would release the update to Firefox for manual installs, but not automatic updates. Nightingale explained,

“In order to understand the impacts of Microsoft’s “Patch Tuesday” fixes, we will initially release Firefox for manual updates only. Once those impacts are understood, we’ll push automatic updates out to all of our users.”

Given that Microsoft has been releasing security patches at the same time each month for several years, I’m not sure why Mozilla didn’t plan for a final round of integration testing for Firefox and delay the release earlier.

In addition to the Patch Tuesday updates, Microsoft also revised its August 2010 MS10-058 bulletin. Microsoft rated the bulletin as important; addressed a flaw in TCP/IP that could allow an attacker to gain elevated privileges and execute malicious code. The revision removes MS10-029 as the replaced bulletin for all editions of Windows Vista and Windows Server 2008. The change only impacts detection, not the actual fix.

As usual, you should install the patches as soon as possible after you’ve verified that they will not negatively impact your systems. Promptly installing patches ensures attackers will be unable to exploit the vulnerability to gain access to your systems and data. If you have questions or concerns about the March’s security bulletins, Microsoft is conducting a webinar on March 14 at 11:00AM PST (US & Canada). The event is free, but registration is required.

Tags: ,

One Response to Patch Tuesday Targets Critical Windows Bug

  1. Caroline E says:

    Important! Thank you very much!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>



The Author:

Made up of various contributors' opinions and insights - the power of the collective.

For Consumption Bloggers

Norman Safeground Blogs Archive