back to article Microsoft warns of RDP attack within next 30 days

Microsoft has released six updates in this month's patch Tuesday, including one critical hole that Redmond warns will be hit in the next 30 days. The critical flaw covers all versions of Windows and is found in the Remote Desktop Protocol (RDP). It allows attackers to run code remotely behind the firewall, although Vista users …

COMMENTS

This topic is closed for new posts.
  1. Destroy All Monsters Silver badge
    Devil

    Blowout soon, fellow Stalker!

    When?

    NOW!

    1. Wombling_Free
      Thumb Up

      Re: Blowout soon, fellow Stalker!

      Don't just stand there, Stalker, come in!

  2. Wombling_Free
    Windows

    Next 30 DAYS?

    What bloody planet are they on?

    Next 30 HOURS is more likely now they have publicised it.

    Possibly even 30 Minutes.

    Tin-foil hat time.

    Hey, there should be a tin-foil-hat icon!

    1. Anonymous Coward
      Anonymous Coward

      Re: Next 30 DAYS?

      Read it again, it took me a couple of reads to get it as it's not a particularly brilliant headline: What it actually says is that MS are warning that the vulnerabillity will be hit (by bad guys, presumably) in the next 30 days, so you need to patch it now. The patch was released on Patch Tuesday which was yesterday.

      Top marks for the Reg's generate-outrage-and-therefore-comments department, less than full marks for their accurate-headlines department.

      1. Anonymous Coward
        Anonymous Coward

        Re: Next 30 DAYS?

        He does have a point, now the patch is out it can be reverse engineered to see what it's patching and thus aid in the discovery of the vulnerability for exploit writers. I too think 30 days is optimistic.

        Ultimately though it's irrelevant, good sysadmins will have patched and bad ones won't.

      2. Tom 13

        Re: Next 30 DAYS?

        MS isn't saying it will take 30 days before there is an exploit. They aren't saying exactly when the exploit will come out. If it came out 30 minutes after they released the patch that would be "within 30 days." What they are saying is that BY 30 days, the probability of a widely distributed exploit approaches unity.

  3. Mikel
    Devil

    Dangit.

    This one was one of my favorites.

  4. Anonymous Coward
    Windows

    Lets be a little realistic here...

    This doesn't concern end-users.

    As stated in the article; Remote desktop is turned off by default, but it gets better; RDP server is not available on consumer products (XP Home, Vista/7 Home premium) but only on the OS Professional versions and above.

    So most people won't even notice all this.

    1. Alain
      Unhappy

      Re: Lets be a little realistic here...

      Ouch. Not end users maybe, but for the rest of us dealing with thousands of desktops and a whole bunch of terminal servers in our businesses, that's bad news. Or any kind of server for that matter. Which 2003/2008 server doesn't have RDP turned on nowadays? we don't manage these from the console anymore. Of course many desktops have RDP turned on too, because "you know, when I'm away but on the company's intranet, I *do* need to access my computer to work". This vulnerability does seem to have all the ingredients for the popo to hit the fan.

      Busy approving the updates on our WSUS and planning reboots of the server farms now... because the darn thing *does* require a reboot, of course.

    2. Alex Rose
      FAIL

      Re: Lets be a little realistic here...

      Let's be realistic here, we're on a technology website for IT professionals. So who gives a crap whether it concerns end-users or not? It concerns us.

    3. richard 7
      FAIL

      Re: Lets be a little realistic here...

      RDP server is present on all of the above, its how remote assistance works.

    4. Wombling_Free
      Flame

      Re: Lets be a little realistic here...

      "This doesn't concern end-users."

      Fixing that? Nah, mate, more than me jobs'worth.

      Do you happen to work for CityRail?

      I think even the BOFH's dad has machine with a "professional" OS with RDP enabled, so the BOFH can remove the virii remotely (we are all tech support for our parents, right?).

      End-users - exactly whose PCs make up up the countless botnets?

    5. Anonymous Coward
      Anonymous Coward

      Re: Lets be a little realistic here...

      Tell that to the potential millions of end users who will get their old java installation or flash exploited as a result of all the websites that will be compromised using this bug.

      All those windows VMs running xen, vmware, whatever usually have RDP enabled on a publicly rotatable IP, what do you think those russian mafia guys will do with it once they get ahold of a reliable exploit?

      Everyone is affected and that faggot luigi auriemma needs to die.

    6. Benjamin 4

      Re: Lets be a little realistic here...

      It shouldn't really be a problem on modern networks, since the only reason to turn off network level authentication (going from memory here) is for compatibility with xp. On the other hand if you have xp machines you're stuck.

      1. I think so I am?
        IT Angle

        Re: Lets be a little realistic here...

        so 75% of the Windows user base

  5. Michael Kean

    Public IPs only?

    Hmm., I am guessing this is mostly of concern to people - mainly businesses - that expose Remote Desktop to the public internet, rather than behind VPNs, etc.

    This might also be a problem for people using the multiple concurrent users on XP hack, since there probably won't be a patch for that particular little trick...

    1. The BigYin

      Re: Public IPs only?

      That's what I was thinking. If the firewall blocks RDP traffic and one needs a VPN to get access - surely the risk is low? If the network is so compromised as to allow this attack, then the compnay in question has much, much bigger problems.

      I guess laptops outside the office with RDP enabled could be a risk.

      1. richard 7

        Re: Public IPs only?

        Sady we have a number of customers who against our reccomendation (and in one case as reccomended by a national telco containing the letters B and T) have outward facing RDP ports. Time to phone them all up and point out the warnings again and this story.

      2. Audrey S. Thackeray

        Re: Public IPs only?

        "If the firewall blocks RDP traffic and one needs a VPN to get access - surely the risk is low?"

        I really don't see any security setup being successful these days if it assumes perimeter security will be sufficient.

        1. MacGyver
          IT Angle

          Re: Public IPs only?

          For those playing at home, don't forward 3389 to any machine behind the firewall and NAT, problem solved. Change the listen port from 3389 to 25 and confuse the kiddys while your at it.

          I'm going to have trouble sleeping tonight just imagining people with a public facing RDP port.

        2. chris lively

          Re: Public IPs only?

          This.

          People need to stop putting faith in outward facing firewalls and come to terms with the fact that they need to bite the bullet and set their windows machines to auto install updates.

          Yes, there is a reboot. Yes you can configure the time it occurs. And yes, if your company really has hundreds or thousands of machines then your company can afford to build systems that stay running nearly 100% of the time and still have these updates applied.

          It absolutely boggles my mind every time I see yet another network admin who thinks they know better and isn't religious about applying patches in a timely manner, regardless of what was fixed. I've seen a tremendous number of systems cracked because of those same fools.

          And please don't give me this crap about the potential of patches cratering a system. If a program depends on unpatched behavior then you need to find another vendor that knows how to write code. Security is too important. And, yes, I know most AV vendors have a horrible track record. In my opinion they have one "oops". The second time I'll switch vendors.

          1. Tom 13
            Flame

            Re: Public IPs only?

            Autoupdate is ONLY suitable for home users. If you were the CIO of my company and I found out you'd simply enabled auto-update to protect systems I'd fire you on the spot.

            Companies should have a properly configured patch management system that allows admins to download and test patches before hitting the switch for mass deployment. After the switch has been hit it needs to report back how many systems have actually deployed the patch. And within a few days at most, if the patch hasn't been applied a desktop or help desk tech should be dispatched to review and resolve the issue. Ideally the patch system gets your non-MS patches as well, but if you can't afford those at a minimum you're using a properly configured WSUS server.

            Of course in the real world, thing don't work that way. I bitch at least once a month about an app that depends on a framework that the vendor stopped supporting two years before I was hired, and I was hired more than two years ago. Why do I bitch? Because once again the monthly update deployed by the Network Admin to patch documented security holes in the framework has bolluxed the hideously old version of the framework even though they are supposed to live side by side (in other words, it's not an MS framework). And yes, if I were in a position of authority I'd fire the vendor for the critical system product based on that framework. But near as I can tell the vendor has enough cash to buy off enough pols to keep the product in place.

            1. I think so I am?
              IT Angle

              Re: Public IPs only?

              "framework that the vendor stopped supporting two years"

              Is this code for all legacy Java apps?

          2. Anonymous Coward
            Anonymous Coward

            Re: Public IPs only?

            @Chris, while I basically agree with you, testing is required. I speak as someone who worked for a company which used Lotus Notes when NT4 SP6 was released. Luckily we didn't roll it out and testing showed the SP broke Notes. MS issued a fix, hence why NT SP6 is actually called SP6A.

            I have also rather more recently had similar happen on Linux, my Arduino dev environment was completely hosed for several months because a GCC update knackered it. After the spat between the people at Arduino and the GNU tools people the GNU tools people fixed it, but not nearly quickly enough.

            Both Lotus/IBM and GNU devs are big legit developers, who you can't easily swap from.

      3. Steve Evans

        Re: Public IPs only?

        "That's what I was thinking. If the firewall blocks RDP traffic and one needs a VPN to get access - surely the risk is low? If the network is so compromised as to allow this attack, then the compnay in question has much, much bigger problems."

        So because the door is locked you feel safe to leave the family jewels on the kitchen table?

        Don't forget that a fair amount of unauthorised access is performed from inside a company network.

  6. Tezfair

    3383

    Always been a popular port to sniff. No reason why MS should suddenly get excited

    1. Anonymous Coward
      Headmaster

      Re: 3383

      Not to mention RDP port 3389

      1. Tezfair
        Facepalm

        Re: 3383

        oops, typo there. better get the big book of IT out and have a read

    2. Anonymous Coward
      Anonymous Coward

      Re: 3383

      Maybe, but they'll get better results if they used 3389 :-)

  7. Anonymous Coward
    Anonymous Coward

    hmm...

    I use xrdp on a Linux remote access server, is there any news if the Linux versions of rap are also affected?

    1. Anonymous Coward
      Anonymous Coward

      Re: hmm...

      Maybe, which of the all-slightly-differently-forked versions are you using? I think it was fixed in Umbongohat 10.9, but broken again in 11.3, then fixed again in 11.4, broken again in 11.7, 11.9 and 11.18; a final fix appeared in 12.5 but this broke the UI, so no-one uses that version.

      Just open up the source and code yourself a patch; then recompile. Isn't that the joy of open source?

      Wow, my tea must have been full of snark.

      trolololololololol!

      1. AndrueC Silver badge
        Joke

        Re: hmm...

        Well duh! Every fool noes that Sarky Cheesecake Aardvark is the best version to use. The new Griblet UI is streets ahead of Melodius Newt.

        1. Anonymous Coward
          Anonymous Coward

          Re: hmm...

          OP here: Actually, it's Monkey Spunk 10.9.5.2.1, compiled by hand, anyone suggesting any other version of Linux is clearly a noobtard.

          ...

          Actually - it's CentOS 6 ish.

  8. g e
    Facepalm

    Microsoft have come a long way

    But for another company, arguably a competitor, to be fixing your shit for you still...

    Presumably Moz sent MS a bug report stating what they'd done, too? Just a guess.

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft have come a long way

      That's not what it says - It says that the issue mozilla were concerned about had already been fixed. This is far more likely to be a problem with the install of mozilla's update clashing with a fix from MS, but that it turned out that mozilla had already fixed their problem. Were mozilla fixing MS OS problems, I would expect far more than a mention in passing in a paragraph at the bottom of an aticle.

  9. Jeff 11
    Facepalm

    From reading the article, it sounds like the RDP server runs on the contents of RDP connections *before* they've been authenticated. Unless it's a code exec bug in the authentication code, the protocol sounds pretty broken by design...

    1. Anonymous Coward
      Anonymous Coward

      Not quite...

      The old version of RDP presented you with the target server's logon screen, so that all the authentication was handled by the server as if it were a normal desktop session and RDP was essentially transparent. New versions of the RDP make you authenticate before any connection has been made (unless you've switched that off). Either way, there is no unconditional access allowed, unless you've hacked the registry to allow it.

    2. Anonymous Coward
      Anonymous Coward

      Code runs before authentication is required

      "This issue is potentially reachable over the network by an attacker before authentication is required"

      http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx

  10. Hyde

    Slow IE9 page loads after applying patches

    Anyone else experiencing very very slow page loads in IE9 on Vista after applying the patches issued yesterday? Rolled back my laptop after applying yesterday's patches and IE9 returned to its usual response times. Installed the patches again today and back to slow page loads. I'm talking about a minute to load a page that previously took a couple of seconds. Happens with all sites I visit.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019