If you manage or run Microsoft products, it’s time to patch; especially if you use Remote Desktop and expose it outside your network.
Microsoft has posted their June security bulletin summary, which describes seven security bulletins fixing 27 vulnerabilities in many of their products, including:
- Internet Explorer (IE)
- .NET Framework
- Microsoft Lync (and Communicator 2007)
- Microsoft Dynamics AX Enterprise Portal
They rate three of these bulletins as Critical, which typically means remote attackers can exploit them to gain control of affected computers.
The Remote Desktop Protocol (RDP) bulletin and Internet Explorer cumulative patch seem the most concerning to me. RDP is a very popular service, which some users and administrators enable externally. Today’s RDP update fixes a serious vulnerability that remote attackers could leverage to gain full control of your RDP servers. It’s similar in scope to another serious RDP flaw Microsoft fixed in March. If you manage RDP-enabled machines, I’d apply this update quickly.
The IE patch fixes 13 security flaws in the popular web browser. Many of the vulnerabilities allow for code execution, meaning attackers could exploit them to launch drive-by download attacks. Since almost all Microsoft users run IE, and attackers have increasingly leveraged web attacks to spread malware, I’d consider this the most important update, and apply it first. You can apply the other updates in the order suggested by Microsoft’s summary post.
I’ll share more details about these issues, and how to fix them, in consolidated LiveSecurity alerts I’ll post here shortly. Since I suspect only a few administrators use Lync and the Dynamic AX Enterprise Portal, I probably will only describe those updates in a short blog post, later. — Corey Nachreiner, CISSP (@SecAdept)