back to article Microsoft warns of RDP attack within next 30 days

Microsoft has released six updates in this month's patch Tuesday, including one critical hole that Redmond warns will be hit in the next 30 days. The critical flaw covers all versions of Windows and is found in the Remote Desktop Protocol (RDP). It allows attackers to run code remotely behind the firewall, although Vista users …

COMMENTS

This topic is closed for new posts.
Silver badge
Devil

Blowout soon, fellow Stalker!

When?

NOW!

2
0
Thumb Up

Re: Blowout soon, fellow Stalker!

Don't just stand there, Stalker, come in!

0
0
Windows

Next 30 DAYS?

What bloody planet are they on?

Next 30 HOURS is more likely now they have publicised it.

Possibly even 30 Minutes.

Tin-foil hat time.

Hey, there should be a tin-foil-hat icon!

4
0
Anonymous Coward

Re: Next 30 DAYS?

Read it again, it took me a couple of reads to get it as it's not a particularly brilliant headline: What it actually says is that MS are warning that the vulnerabillity will be hit (by bad guys, presumably) in the next 30 days, so you need to patch it now. The patch was released on Patch Tuesday which was yesterday.

Top marks for the Reg's generate-outrage-and-therefore-comments department, less than full marks for their accurate-headlines department.

2
0
Anonymous Coward

Re: Next 30 DAYS?

He does have a point, now the patch is out it can be reverse engineered to see what it's patching and thus aid in the discovery of the vulnerability for exploit writers. I too think 30 days is optimistic.

Ultimately though it's irrelevant, good sysadmins will have patched and bad ones won't.

1
0
Silver badge

Re: Next 30 DAYS?

MS isn't saying it will take 30 days before there is an exploit. They aren't saying exactly when the exploit will come out. If it came out 30 minutes after they released the patch that would be "within 30 days." What they are saying is that BY 30 days, the probability of a widely distributed exploit approaches unity.

1
0
Silver badge
Devil

Dangit.

This one was one of my favorites.

1
0
Silver badge
Windows

Lets be a little realistic here...

This doesn't concern end-users.

As stated in the article; Remote desktop is turned off by default, but it gets better; RDP server is not available on consumer products (XP Home, Vista/7 Home premium) but only on the OS Professional versions and above.

So most people won't even notice all this.

1
3
Unhappy

Re: Lets be a little realistic here...

Ouch. Not end users maybe, but for the rest of us dealing with thousands of desktops and a whole bunch of terminal servers in our businesses, that's bad news. Or any kind of server for that matter. Which 2003/2008 server doesn't have RDP turned on nowadays? we don't manage these from the console anymore. Of course many desktops have RDP turned on too, because "you know, when I'm away but on the company's intranet, I *do* need to access my computer to work". This vulnerability does seem to have all the ingredients for the popo to hit the fan.

Busy approving the updates on our WSUS and planning reboots of the server farms now... because the darn thing *does* require a reboot, of course.

4
1
FAIL

Re: Lets be a little realistic here...

Let's be realistic here, we're on a technology website for IT professionals. So who gives a crap whether it concerns end-users or not? It concerns us.

3
0
FAIL

Re: Lets be a little realistic here...

RDP server is present on all of the above, its how remote assistance works.

1
0
Flame

Re: Lets be a little realistic here...

"This doesn't concern end-users."

Fixing that? Nah, mate, more than me jobs'worth.

Do you happen to work for CityRail?

I think even the BOFH's dad has machine with a "professional" OS with RDP enabled, so the BOFH can remove the virii remotely (we are all tech support for our parents, right?).

End-users - exactly whose PCs make up up the countless botnets?

2
0
Anonymous Coward

Re: Lets be a little realistic here...

Tell that to the potential millions of end users who will get their old java installation or flash exploited as a result of all the websites that will be compromised using this bug.

All those windows VMs running xen, vmware, whatever usually have RDP enabled on a publicly rotatable IP, what do you think those russian mafia guys will do with it once they get ahold of a reliable exploit?

Everyone is affected and that faggot luigi auriemma needs to die.

1
2

Re: Lets be a little realistic here...

It shouldn't really be a problem on modern networks, since the only reason to turn off network level authentication (going from memory here) is for compatibility with xp. On the other hand if you have xp machines you're stuck.

0
0
IT Angle

Re: Lets be a little realistic here...

so 75% of the Windows user base

0
0

Public IPs only?

Hmm., I am guessing this is mostly of concern to people - mainly businesses - that expose Remote Desktop to the public internet, rather than behind VPNs, etc.

This might also be a problem for people using the multiple concurrent users on XP hack, since there probably won't be a patch for that particular little trick...

2
3
Silver badge

Re: Public IPs only?

That's what I was thinking. If the firewall blocks RDP traffic and one needs a VPN to get access - surely the risk is low? If the network is so compromised as to allow this attack, then the compnay in question has much, much bigger problems.

I guess laptops outside the office with RDP enabled could be a risk.

0
2

Re: Public IPs only?

Sady we have a number of customers who against our reccomendation (and in one case as reccomended by a national telco containing the letters B and T) have outward facing RDP ports. Time to phone them all up and point out the warnings again and this story.

0
0

Re: Public IPs only?

"If the firewall blocks RDP traffic and one needs a VPN to get access - surely the risk is low?"

I really don't see any security setup being successful these days if it assumes perimeter security will be sufficient.

4
0
IT Angle

Re: Public IPs only?

For those playing at home, don't forward 3389 to any machine behind the firewall and NAT, problem solved. Change the listen port from 3389 to 25 and confuse the kiddys while your at it.

I'm going to have trouble sleeping tonight just imagining people with a public facing RDP port.

2
1
Silver badge

Re: Public IPs only?

"That's what I was thinking. If the firewall blocks RDP traffic and one needs a VPN to get access - surely the risk is low? If the network is so compromised as to allow this attack, then the compnay in question has much, much bigger problems."

So because the door is locked you feel safe to leave the family jewels on the kitchen table?

Don't forget that a fair amount of unauthorised access is performed from inside a company network.

0
0

Re: Public IPs only?

This.

People need to stop putting faith in outward facing firewalls and come to terms with the fact that they need to bite the bullet and set their windows machines to auto install updates.

Yes, there is a reboot. Yes you can configure the time it occurs. And yes, if your company really has hundreds or thousands of machines then your company can afford to build systems that stay running nearly 100% of the time and still have these updates applied.

It absolutely boggles my mind every time I see yet another network admin who thinks they know better and isn't religious about applying patches in a timely manner, regardless of what was fixed. I've seen a tremendous number of systems cracked because of those same fools.

And please don't give me this crap about the potential of patches cratering a system. If a program depends on unpatched behavior then you need to find another vendor that knows how to write code. Security is too important. And, yes, I know most AV vendors have a horrible track record. In my opinion they have one "oops". The second time I'll switch vendors.

2
3
Silver badge
Flame

Re: Public IPs only?

Autoupdate is ONLY suitable for home users. If you were the CIO of my company and I found out you'd simply enabled auto-update to protect systems I'd fire you on the spot.

Companies should have a properly configured patch management system that allows admins to download and test patches before hitting the switch for mass deployment. After the switch has been hit it needs to report back how many systems have actually deployed the patch. And within a few days at most, if the patch hasn't been applied a desktop or help desk tech should be dispatched to review and resolve the issue. Ideally the patch system gets your non-MS patches as well, but if you can't afford those at a minimum you're using a properly configured WSUS server.

Of course in the real world, thing don't work that way. I bitch at least once a month about an app that depends on a framework that the vendor stopped supporting two years before I was hired, and I was hired more than two years ago. Why do I bitch? Because once again the monthly update deployed by the Network Admin to patch documented security holes in the framework has bolluxed the hideously old version of the framework even though they are supposed to live side by side (in other words, it's not an MS framework). And yes, if I were in a position of authority I'd fire the vendor for the critical system product based on that framework. But near as I can tell the vendor has enough cash to buy off enough pols to keep the product in place.

2
0
Anonymous Coward

Re: Public IPs only?

@Chris, while I basically agree with you, testing is required. I speak as someone who worked for a company which used Lotus Notes when NT4 SP6 was released. Luckily we didn't roll it out and testing showed the SP broke Notes. MS issued a fix, hence why NT SP6 is actually called SP6A.

I have also rather more recently had similar happen on Linux, my Arduino dev environment was completely hosed for several months because a GCC update knackered it. After the spat between the people at Arduino and the GNU tools people the GNU tools people fixed it, but not nearly quickly enough.

Both Lotus/IBM and GNU devs are big legit developers, who you can't easily swap from.

0
0
IT Angle

Re: Public IPs only?

"framework that the vendor stopped supporting two years"

Is this code for all legacy Java apps?

0
0

3383

Always been a popular port to sniff. No reason why MS should suddenly get excited

0
3
Headmaster

Re: 3383

Not to mention RDP port 3389

2
0
Anonymous Coward

Re: 3383

Maybe, but they'll get better results if they used 3389 :-)

0
0
Facepalm

Re: 3383

oops, typo there. better get the big book of IT out and have a read

0
0
Anonymous Coward

hmm...

I use xrdp on a Linux remote access server, is there any news if the Linux versions of rap are also affected?

0
0
Anonymous Coward

Re: hmm...

Maybe, which of the all-slightly-differently-forked versions are you using? I think it was fixed in Umbongohat 10.9, but broken again in 11.3, then fixed again in 11.4, broken again in 11.7, 11.9 and 11.18; a final fix appeared in 12.5 but this broke the UI, so no-one uses that version.

Just open up the source and code yourself a patch; then recompile. Isn't that the joy of open source?

Wow, my tea must have been full of snark.

trolololololololol!

7
5
Silver badge
Joke

Re: hmm...

Well duh! Every fool noes that Sarky Cheesecake Aardvark is the best version to use. The new Griblet UI is streets ahead of Melodius Newt.

2
0
Anonymous Coward

Re: hmm...

OP here: Actually, it's Monkey Spunk 10.9.5.2.1, compiled by hand, anyone suggesting any other version of Linux is clearly a noobtard.

...

Actually - it's CentOS 6 ish.

2
0
g e
Silver badge
Facepalm

Microsoft have come a long way

But for another company, arguably a competitor, to be fixing your shit for you still...

Presumably Moz sent MS a bug report stating what they'd done, too? Just a guess.

2
2
Anonymous Coward

Re: Microsoft have come a long way

That's not what it says - It says that the issue mozilla were concerned about had already been fixed. This is far more likely to be a problem with the install of mozilla's update clashing with a fix from MS, but that it turned out that mozilla had already fixed their problem. Were mozilla fixing MS OS problems, I would expect far more than a mention in passing in a paragraph at the bottom of an aticle.

0
0
Facepalm

From reading the article, it sounds like the RDP server runs on the contents of RDP connections *before* they've been authenticated. Unless it's a code exec bug in the authentication code, the protocol sounds pretty broken by design...

1
1
Anonymous Coward

Not quite...

The old version of RDP presented you with the target server's logon screen, so that all the authentication was handled by the server as if it were a normal desktop session and RDP was essentially transparent. New versions of the RDP make you authenticate before any connection has been made (unless you've switched that off). Either way, there is no unconditional access allowed, unless you've hacked the registry to allow it.

0
0
Anonymous Coward

Code runs before authentication is required

"This issue is potentially reachable over the network by an attacker before authentication is required"

http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx

0
0

Slow IE9 page loads after applying patches

Anyone else experiencing very very slow page loads in IE9 on Vista after applying the patches issued yesterday? Rolled back my laptop after applying yesterday's patches and IE9 returned to its usual response times. Installed the patches again today and back to slow page loads. I'm talking about a minute to load a page that previously took a couple of seconds. Happens with all sites I visit.

0
0
This topic is closed for new posts.

Forums