Microsoft's Patch Tuesday was this week, and with it came a critical update. You know you need to pay attention to the update when you see a headline about Patch Tuesday that begins with "Yikes!"
The critical update is in the Remote Desktop Protocol, which can be exploited to run arbitrary code on any Windows system. Marcus Carey, security researcher at Rapid7, explained the update, MS12-020, to me this way:
MS12-020 is labeled as critical and affects all Windows XP Service Pack 3, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 that are running remote desktop protocol (RDP). RDP is used for remote management by many organizations, and this will remind people of the pcAnywhere vulnerabilities in the press recently.
MS12-020 will affect most organizations and is labeled critical because it could result in remote code execution. Organizations should immediately disable RDP where it is not needed. Organizations should also apply appropriate ingress firewall rules where they can. Organizations should be ready to test and deploy the patch as soon as possible. RDP is not enabled by default, but many times it is turned on for administration tasks and just left enabled.
MS12-020 was the only one of the six updates considered to be critical. PC Magazine pointed out that while there is currently nothing out there attacking this vulnerability, Microsoft anticipates it is just a matter of days before an exploit is discovered. Looks like Microsoft is ahead of the bad guys on this one.
Microsoft isn't the only one issuing patches this week. Apple also issued a patch for Safari to fix a record number of 83 vulnerabilities, 72 of them considered critical. Like Microsoft, Apple was proactive in that it provided a patch before the vulnerability was used in any attacks. According to Computerworld:
Seventy-two of the 83 flaws were patched in WebKit, the open-source browser engine that powers both Safari and Google's Chrome. Apple tagged them all as memory corruption bugs that could be triggered simply by visiting a malicious site. ... iTunes relies on WebKit to render its online store.
Google, by the way, addressed these vulnerabilities in Chrome sometime ago, Computerworld mentioned.
Most of us come to expect Microsoft's monthly Patch Tuesday. It has become such a normal part of the security routine that I don't even hear about it from security experts unless there is a critical update that requires immediate attention, like this one. Hearing about an Apple patch, particularly one so large, however, is rare, but Carey believes that we should expect to see a lot of security fixes whenever Apple has a new launch. Carey added this thought:
There are a couple of takeaways from this, the first being that Apple products are "hacker proof" is a myth. With the bring-your-own-device movement gaining steam in IT enterprises, there are many organizations that have Apple products appearing in their networks without the tools to manage them. Even just allowing employees to install iTunes on their machines exposes the organization to Safari/WebKit vulnerabilities.