Patch Tuesday Prose
One of the patches announced yesterday, for June 2012 Patch Tuesday, was about a vulnerability first highlighted last month against RDP on port 3389. In over 10 years in this job, I still cannot fathom why someone would open that port to the internet without the protection of a VPN or a remote connection software like Citrix. Nevertheless, even within our customers, we count several who demanded this port be open from the internet, despite our strong advice against it (which, in truth, has always been our stance on this issue and which has now become substantiated by last month’s announcement).
It would appear that the specific vulnerability may now be patched; but, of course, we’ll need to see how true this is. Regardless, my personal perspective on the issue has not changed – you should never expose to the internet a login prompt to a server; no matter how secure your password, your security at that point is only as strong as your weakest password, and hackers have all the time in the world to cause damage. If nothing else, they can continue trying to login and end up locking your accounts over and over, creating a DoS attack by simply attempting to crack your passwords. So, why risk it?
The patches for Internet Explorer (IE) are important, if nothing else, because of the widespread use of the browser; no matter how critical or non critical you may judge an issue with IE, the sheer number of its users makes it a critical one and, therefore, it should be patched.
I do like the approach taken by Microsoft to not interrupt the update process based on the issue of the Flame worm ~ they seem to have decided to fix that separately. In fact, the link http://support.microsoft.com/kb/2718704 contains instructions on how to do just that and the packages to download to fix the issue. If you aren’t familiar with this issue, literature on the same is in abundance on the internet – it’s a worm which exploits a vulnerability allowing unauthorized certificates to appear as legitimate and, consequently, allowing spoofing of the update process itself.
Therefore, the update is not part of the update process but is a separate download altogether. The only issue with that, as I see it, is the layperson or ‘generic’ home user who may remain unawares of all this, and will never ever actually install it. That said, my hope is that at some point, Microsoft will automatically include this within the update process so everyone will be protected.