Microsoft Patches Critical Windows Vulnerability
The update is one of six released on Microsoft's scheduled patch day on the second Tuesday of each month. The only critical hole, which affects all supported versions of Windows, is in the operating system's Remote Desktop Protocol service.
RDP is primarily used by PC administrators in businesses to remotely access desktops and laptops. Because the service is shut by default, the flaw is not considered a major threat to consumers.
Security vendors recommended that businesses install the RDP update as soon as possible. Microsoft has given the vulnerability an exploitability rating of one, which means the company expects malware targeting the flaw to start showing up on the Internet in less than 30 days.
"Patch this one immediately, if not sooner," Andrew Storms, director of security operations for San Francisco-based nCircle, said. For companies that can't install the patch immediately, Storms recommended enabling Network Level Authentication in RDP. "This mitigation will reduce the attack surface significantly because attackers need valid credentials to execute a successful attack," he said in an e-mail.
The remaining updates fix non-critical flaws. Three are also in Windows. Two are denial-of-service related with one affecting users running Microsoft's DNS server. The other was introduced starting with Vista. The third lets an attacker who has already enter a system escalates privileges to the administrator level. Two of the updates, along with the critical fix, require systems to be rebooted after installation.
The remaining two updates sew up holes in Visual Studio and in Microsoft Expression Design, which allows designers to leverage vector graphics in Web applications. The former flaw enables a privilege escalation, if an attacker is able to acquire valid credentials, and the latter makes it possible to execute malicious code remotely.