"In over 10 years in this job, I still cannot fathom why someone would open [the RDP] port to the Internet without the protection of a VPN or remote connection software like Citrix," said Stella in an email Tuesday. "Nevertheless, even within our customers, we count several who demanded this port be open from the Internet, despite our strong advice against it."
Other security updates from Microsoft patched flaws in the .Net framework, the company's Lync enterprise instant messaging product, Windows' kernel and kernel mode drivers, and its Microsoft Dynamics AX 2012, an enterprise resource planning (ERP) program.
Some of those need close inspection, said Miller.
"If you don't review [ MS12-039 and MS12-040] you could miss something," Miller said. "Quite often we just assume our patch management product will cover all products and patches, [but] it is important to stay vigilant and read all information that is released to ensure your network is 100% covered."
Miller was referring to footnotes in those bulletins that told customers that some (in the case of MS12-039, the Lync update) and all (for MS12-040, which affects Dynamics AX) of the patches must be downloaded manually from Microsoft's Download Center. They're not served up through the usual Windows Update service or the enterprise-grade Windows Server Update Service (WSUS) software.
The Lync update had its own back story that intrigued researchers.
One of the vulnerabilities patched in MS12-039 had been fixed several times in other Microsoft software, first in November 2011, then again in May 2012. In each case, the bug was located in code that parsed TrueType fonts.
Last month, Microsoft acknowledged that the code had been copied and pasted into multiple products, and said it was hunting down each occurrence.
What was noteworthy about the font-parsing code was that it had been exploited last fall by Duqu, a sophisticated cyber-spying Trojan that most experts believe was linked to the even-more-notorious Stuxnet, the worm used to sabotage Iran's nuclear program in 2009 and 2010.
"Microsoft has done a source code audit to find instances where this [font parsing code] was in use," said Wolfgang Kandek, chief technology officer at Qualys. "This month's might be a leftover of that audit."
Storms speculated that Microsoft added MS12-039 at the last moment -- the Lync update had not been mentioned in last week's advance notification -- because of the ties to Duqu.
Another expert, Marc Maiffret, chief technology officer at BeyondTrust, chided Microsoft for the constant patching of the same bug.
"Here we are seven months after the original Duqu fix for TrueType font parsing and this same code reuse bug has reared its ugly head [again]," said Maiffret in an email.
In fact, the Lync update took the place of one that Microsoft had intended to ship Tuesday, but pulled for some reason. The company did not explain why it yanked that update, which was to patch all versions of Microsoft Office on Windows, but when it's made last-minute changes before, it's been because it found a flaw in the update or encountered compatibility issues with its own or important third-party software.
Researchers, including Storms, expect that Microsoft will ship the delayed Office update next month.
Microsoft also issued a new security advisory on Tuesday, admitting that a critical unpatched vulnerability in all versions of Windows -- as well as in Office 2003 and Office 2007 -- was being exploited by attackers who duped victims into visiting malicious websites.