Microsoft Issues Urgent Patch for ‘Wormable’ RDP Vulnerability

Microsoft released six new security bulletins today for the March 2012 Patch Tuesday. Six is a very reasonable number–far short of some of the overwhelming barrages typical of many 2011 Patch Tuesdays. But, one of the six is a dangerous flaw in RDP (Remote Desktop Protocol) that evokes post-traumatic stress flashbacks to the CodeRed, Nimda, and SQL Slammer days.

The other five include one Moderate and four Important security bulletins. They address issues in things like DNS, Windows kernel-mode drivers, and Visual Studio. Admins are free to follow normal patch operating procedure when it comes to assessing and deploying these fixes. But, when it comes to the one Critical update–MS12-020–security experts say you can’t patch fast enough.

I spoke with Qualys CTO Wolfgang Kandek, and Director of Vulnerability Labs Amol Sawarte. Both stressed that the RDP flaws revealed in MS12-020 are very dangerous. RDP allows remote access to systems–often to servers so admins can manage them remotely–and an exploit would not even require network credentials.

Microsoft emphasized in a Microsoft Security Response Center blog post that organizations using NLA (Network Level Authentication) are at significantly less risk. NLA adds an authentication layer that would make it much harder for an exploit of the RDP flaws to work.

Applying the MS12-020 fix requires a server reboot, though, and many organizations are reluctant to apply patches without first testing them properly. As a temporary workaround, Microsoft has developed a one-click, no-reboot Fix-It that enables NLA to mitigate the issue.

Kandek warns, however, that NLA is only native on Windows Vista and later versions including Windows 7, Windows Server 2008, and Windows Server 2008 R2. There is, however, client software available to make NLA work with Windows XP if necessary.

Here’s some additional commentary to underscore the urgency of the MS12-020 security bulletin. Andrew Storms, Director of Security Operations for nCircle, says “It’s a ‘red alert’ day for IT security–many enterprise systems just became vulnerable to a serious worm attack vector,” adding, “This is also a very serious security issue for the millions of servers residing in public clouds because user-enabled RDP is likely to be the method for access.”

Tyler Reguly, Technical Manager of Security Research and Development for nCircle declared, “Today is a flashback of the bad old Patch Tuesdays.”

Reguly says he’s surprised that Microsoft waited until Patch Tuesday to address this very serious issue rather than releasing a more urgent out-of-band update.

Storms sums up with the importance of MS12-020: “Patch this one immediately, if not sooner.”