Strength, flexibility and the March 2012 security bulletins

Hello. Today we’re releasing six security bulletins – one Critical-class, four Important and one Moderate – addressing seven issues in Microsoft Windows, Visual Studio, and Expression Design. We recommend that customers focus on MS12-020, our sole critical-class bulletin, as the March deployment priority. A little about MS12-020:

  • MS12-020 (Windows): This bulletin addresses one Critical-class issue and one Moderate-class issue in Remote Desktop Protocol (RDP). Both issues were cooperatively disclosed to Microsoft and we know of no active exploitation in the wild. The Critical-class issue applies to a fairly specific subset of systems – those running RDP – and is less problematic for those systems with Network Level Authentication (NLA) enabled. That said, we strongly recommend that customers examine and prepare to apply this bulletin as soon as possible. The Critical-class issue could allow a would-be attacker to achieve remote code execution on a machine running RDP (a non-default configuration); if the machine does not have NLA enabled, the attacker would not require authentication for RCE access.

We understand that our customers need time to evaluate and test all bulletins before applying them. To provide for a bit of scheduling flexibility, we’re offering a one-click, no-reboot Fix it that enables Network-Level Authentication, an effective mitigation for this issue. It applies to Vista, Server 2008, Win7 and Server 2008R2 systems, and you can read all about it on the SRD blog. We’re pleased that the circumstances around this issue — well-understood, not under active attack, easy-to-apply mitigation – give us the chance to provide both strength and flexibility as customers go about their update routines.

In the video below, Yunsun Wee discusses this month’s bulletins, including MS12-020, in further detail.

Below is this month’s deployment priority guidance, to further assist customers in their deployment planning (click for larger view).

Deployment Priority

Our risk and impact graph shows an aggregate view of March’s severity and exploitability index (click for larger view). Note that MS12-019 does not receive an XI rating.

Exploitability Index

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page.

Per our usual process we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Dustin Childs. They’ll talk through the March bulletins, discuss changes on the horizon for Technet, and answer any further questions about the NLA Fix it. The webcast is scheduled for tomorrow, March 14, 2012, at 11 a.m. PDT. Click here to register, and as always we look forward to taking your questions live during the webcast.

Angela Gunn
Trustworthy Computing.