VERT Alert - March 13, 2012

March 13, 2012 11:55 AM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today's VERT Alert addresses 6 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-449 on Wednesday, March 14th.

DNS Denial of Service Vulnerability CVE-2012-0006
PostMessage Function Vulnerability CVE-2012-0157
DirectWrite Application Denial of Service Vulnerability CVE-2012-0156
Remote Desktop Protocol Vulnerability CVE-2012-0002
Terminal Server Denial of Service Vulnerability CVE-2012-0152
Visual Studio Add-In Vulnerability CVE-2012-0008
Expression Design Insecure Library Loading Vulnerability CVE-2012-0016


The first bulletin released today addresses a single vulnerability in Microsoft's DNS Server. Successfully exploiting this denial of service could lead to a full system restart. The problem occurs when a malicious query causes improper memory handling to occur.


The vulnerability fixed by MS12-018 is one that I would put on the list of "common culprits" that we expect to see on a regular basis. In this case, the "common culprit" is the Windows Kernel-Mode Drivers (Win32k.sys), and we're seeing another local privilege escalation. We saw win32k.sys patched last month and prior to that in December 2011, so this is clearly an expected patch for enterprises to deal with.


This may be the most surprising bulletin this month, simply because Microsoft rarely patches client side denial of service. This has the standard attack vectors (web based and email) but adds another, rarely seen, attack vector: Instant Messenger. A character combination sent to IM clients, such as Windows Live Messenger, can cause the client to hang.


The highest risk issue this month is, without a doubt, MS12-020. The attack vector we're talking about is a remote, unauthenticated service. While the word should not be used lightly, this definitely falls into the potentially wormable category and should be high on everyone's patch list. Microsoft has released an excellent blog post on this vulnerability, which includes details on how to change your settings to turn this remote, unauthenticated vulnerability into a remote, authenticated vulnerability. Please also note that every version of Windows is affected by this vulnerability.


This, less than critical, bulletin applies to Visual Studio, already minimizing the base of users affected by this issue. In addition, a user most be logged in and interacting with the system in order to exploit this vulnerability and escalate their privileges. Exploiting this vulnerability requires placing a malicious Visual Studio Add-In in the VS patch and waiting for someone with high privileges to run visual studio.


The last bulletin this month is our second "common culprit". This time we're seeing seldom mentioned software, Microsoft Expression Design, vulnerable to the increasingly common DLL Preloading attack. This default affected extensions, should you have Expression Design installed, are .xpr and .DESIGN.

p>As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.


Ease of Use (published exploits) to Risk Table:

Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged


All data and commentary is based on information available when the VERT Alert is published.