A Week of Critical Patches

Sue Marquette Poremba

Microsoft's Patch Tuesday was this week, and with it came a critical update. You know you need to pay attention to the update when you see a headline about Patch Tuesday that begins with "Yikes!"


The critical update is in the Remote Desktop Protocol, which can be exploited to run arbitrary code on any Windows system. Marcus Carey, security researcher at Rapid7, explained the update, MS12-020, to me this way:

MS12-020 is labeled as critical and affects all Windows XP Service Pack 3, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 that are running remote desktop protocol (RDP). RDP is used for remote management by many organizations, and this will remind people of the pcAnywhere vulnerabilities in the press recently.
MS12-020 will affect most organizations and is labeled critical because it could result in remote code execution. Organizations should immediately disable RDP where it is not needed. Organizations should also apply appropriate ingress firewall rules where they can. Organizations should be ready to test and deploy the patch as soon as possible. RDP is not enabled by default, but many times it is turned on for administration tasks and just left enabled.

MS12-020 was the only one of the six updates considered to be critical. PC Magazine pointed out that while there is currently nothing out there attacking this vulnerability, Microsoft anticipates it is just a matter of days before an exploit is discovered. Looks like Microsoft is ahead of the bad guys on this one.


Microsoft isn't the only one issuing patches this week. Apple also issued a patch for Safari to fix a record number of 83 vulnerabilities, 72 of them considered critical. Like Microsoft, Apple was proactive in that it provided a patch before the vulnerability was used in any attacks. According to Computerworld:

Seventy-two of the 83 flaws were patched in WebKit, the open-source browser engine that powers both Safari and Google's Chrome. Apple tagged them all as memory corruption bugs that could be triggered simply by visiting a malicious site. ... iTunes relies on WebKit to render its online store.

Google, by the way, addressed these vulnerabilities in Chrome sometime ago, Computerworld mentioned.


Most of us come to expect Microsoft's monthly Patch Tuesday. It has become such a normal part of the security routine that I don't even hear about it from security experts unless there is a critical update that requires immediate attention, like this one. Hearing about an Apple patch, particularly one so large, however, is rare, but Carey believes that we should expect to see a lot of security fixes whenever Apple has a new launch. Carey added this thought:

There are a couple of takeaways from this, the first being that Apple products are "hacker proof" is a myth. With the bring-your-own-device movement gaining steam in IT enterprises, there are many organizations that have Apple products appearing in their networks without the tools to manage them. Even just allowing employees to install iTunes on their machines exposes the organization to Safari/WebKit vulnerabilities.

Add Comment      Leave a comment on this blog post
Mar 21, 2012 4:16 AM Ari Goldstein Ari Goldstein  says:

Marcus Carey, security researcher at Rapid7, is not explaining himself beyond 'jumping aboard' the APPLE WILL BE INFECTED routine.

While I do not doubt that this could happen, simply saying this is like Cartman from SouthPark chiming in to a conversation.

Microsoft Windows, unfortunately, is designed in such a way that it can get regularly exploited. Of course it is admirable that Microsoft Windows is so dynamic and can install on so many devices. It is also amazing that they are such a powerful company - a true historical software company with insane profits.

On the other hand Apple is limited to a certain hardware platform. The WAY Microsoft Windows can get infected is based on it's entire foundation design.

Apple has a DIFFERENT foundation design. It has been strengthening its operating system - UNIX - since they adopted it. UNIX was started way before Apple launched and it continues to be designed differently than Microsoft Windows.

While Windows 95 was coming into its own, Unix was in production environments and was coping with massive deployments. It had never been effected by hackers and malicious attacks in the same way Microsoft was. On a basic level Windows installed itself with all ports opened. Unix with all ports closed. Just one example of how vulnerable Microsoft was compared to Apple.

So it's not like Apple will OPEN the ports to its operating system and become weaker.

I am not saying that current innovations into Microsoft Windows operating systems is not more security minded now than ever before. It is really maturing.

But to say that Apple security is a myth is incorrect.

A better argument from Carey WOULD HAVE BEEN explaining these factors.

Frankly because Microsoft Windows is designed the way it is and there are endless attacks on it, it would be the RIGHT thing to say:

The Microsoft Windows operating system is taken advantage of because of 1,2 and 3 vectors.

Meanwhile, Apple, which is built completely differently is attacked into its foundation design because of these main vectors: 1, 2, 3.

Instead we are left with this statement from Carey that is basically saying "Yeah, see!!! I told you idiots that Apple security is a myth!! Ha ha!!"


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.