Microsoft warns of RDP attack within next 30 days Microsoft has released six updates in this month's patch Tuesday, including one critical hole that Redmond warns will be hit in the next 30 days. The critical flaw covers all versions of Windows and is found in the Remote Desktop Protocol (RDP). It allows attackers to run code remotely behind the firewall, although Vista users …
Read it again, it took me a couple of reads to get it as it's not a particularly brilliant headline: What it actually says is that MS are warning that the vulnerabillity will be hit (by bad guys, presumably) in the next 30 days, so you need to patch it now. The patch was released on Patch Tuesday which was yesterday.
Top marks for the Reg's generate-outrage-and-therefore-comments department, less than full marks for their accurate-headlines department.
He does have a point, now the patch is out it can be reverse engineered to see what it's patching and thus aid in the discovery of the vulnerability for exploit writers. I too think 30 days is optimistic.
Ultimately though it's irrelevant, good sysadmins will have patched and bad ones won't.
MS isn't saying it will take 30 days before there is an exploit. They aren't saying exactly when the exploit will come out. If it came out 30 minutes after they released the patch that would be "within 30 days." What they are saying is that BY 30 days, the probability of a widely distributed exploit approaches unity.
This doesn't concern end-users.
As stated in the article; Remote desktop is turned off by default, but it gets better; RDP server is not available on consumer products (XP Home, Vista/7 Home premium) but only on the OS Professional versions and above.
So most people won't even notice all this.
Ouch. Not end users maybe, but for the rest of us dealing with thousands of desktops and a whole bunch of terminal servers in our businesses, that's bad news. Or any kind of server for that matter. Which 2003/2008 server doesn't have RDP turned on nowadays? we don't manage these from the console anymore. Of course many desktops have RDP turned on too, because "you know, when I'm away but on the company's intranet, I *do* need to access my computer to work". This vulnerability does seem to have all the ingredients for the popo to hit the fan.
Busy approving the updates on our WSUS and planning reboots of the server farms now... because the darn thing *does* require a reboot, of course.
"This doesn't concern end-users."
Fixing that? Nah, mate, more than me jobs'worth.
Do you happen to work for CityRail?
I think even the BOFH's dad has machine with a "professional" OS with RDP enabled, so the BOFH can remove the virii remotely (we are all tech support for our parents, right?).
End-users - exactly whose PCs make up up the countless botnets?
Tell that to the potential millions of end users who will get their old java installation or flash exploited as a result of all the websites that will be compromised using this bug.
All those windows VMs running xen, vmware, whatever usually have RDP enabled on a publicly rotatable IP, what do you think those russian mafia guys will do with it once they get ahold of a reliable exploit?
Everyone is affected and that faggot luigi auriemma needs to die.
Hmm., I am guessing this is mostly of concern to people - mainly businesses - that expose Remote Desktop to the public internet, rather than behind VPNs, etc.
This might also be a problem for people using the multiple concurrent users on XP hack, since there probably won't be a patch for that particular little trick...
That's what I was thinking. If the firewall blocks RDP traffic and one needs a VPN to get access - surely the risk is low? If the network is so compromised as to allow this attack, then the compnay in question has much, much bigger problems.
I guess laptops outside the office with RDP enabled could be a risk.
For those playing at home, don't forward 3389 to any machine behind the firewall and NAT, problem solved. Change the listen port from 3389 to 25 and confuse the kiddys while your at it.
I'm going to have trouble sleeping tonight just imagining people with a public facing RDP port.
This.
People need to stop putting faith in outward facing firewalls and come to terms with the fact that they need to bite the bullet and set their windows machines to auto install updates.
Yes, there is a reboot. Yes you can configure the time it occurs. And yes, if your company really has hundreds or thousands of machines then your company can afford to build systems that stay running nearly 100% of the time and still have these updates applied.
It absolutely boggles my mind every time I see yet another network admin who thinks they know better and isn't religious about applying patches in a timely manner, regardless of what was fixed. I've seen a tremendous number of systems cracked because of those same fools.
And please don't give me this crap about the potential of patches cratering a system. If a program depends on unpatched behavior then you need to find another vendor that knows how to write code. Security is too important. And, yes, I know most AV vendors have a horrible track record. In my opinion they have one "oops". The second time I'll switch vendors.
Autoupdate is ONLY suitable for home users. If you were the CIO of my company and I found out you'd simply enabled auto-update to protect systems I'd fire you on the spot.
Companies should have a properly configured patch management system that allows admins to download and test patches before hitting the switch for mass deployment. After the switch has been hit it needs to report back how many systems have actually deployed the patch. And within a few days at most, if the patch hasn't been applied a desktop or help desk tech should be dispatched to review and resolve the issue. Ideally the patch system gets your non-MS patches as well, but if you can't afford those at a minimum you're using a properly configured WSUS server.
Of course in the real world, thing don't work that way. I bitch at least once a month about an app that depends on a framework that the vendor stopped supporting two years before I was hired, and I was hired more than two years ago. Why do I bitch? Because once again the monthly update deployed by the Network Admin to patch documented security holes in the framework has bolluxed the hideously old version of the framework even though they are supposed to live side by side (in other words, it's not an MS framework). And yes, if I were in a position of authority I'd fire the vendor for the critical system product based on that framework. But near as I can tell the vendor has enough cash to buy off enough pols to keep the product in place.
@Chris, while I basically agree with you, testing is required. I speak as someone who worked for a company which used Lotus Notes when NT4 SP6 was released. Luckily we didn't roll it out and testing showed the SP broke Notes. MS issued a fix, hence why NT SP6 is actually called SP6A.
I have also rather more recently had similar happen on Linux, my Arduino dev environment was completely hosed for several months because a GCC update knackered it. After the spat between the people at Arduino and the GNU tools people the GNU tools people fixed it, but not nearly quickly enough.
Both Lotus/IBM and GNU devs are big legit developers, who you can't easily swap from.
"That's what I was thinking. If the firewall blocks RDP traffic and one needs a VPN to get access - surely the risk is low? If the network is so compromised as to allow this attack, then the compnay in question has much, much bigger problems."
So because the door is locked you feel safe to leave the family jewels on the kitchen table?
Don't forget that a fair amount of unauthorised access is performed from inside a company network.
Maybe, which of the all-slightly-differently-forked versions are you using? I think it was fixed in Umbongohat 10.9, but broken again in 11.3, then fixed again in 11.4, broken again in 11.7, 11.9 and 11.18; a final fix appeared in 12.5 but this broke the UI, so no-one uses that version.
Just open up the source and code yourself a patch; then recompile. Isn't that the joy of open source?
Wow, my tea must have been full of snark.
trolololololololol!
That's not what it says - It says that the issue mozilla were concerned about had already been fixed. This is far more likely to be a problem with the install of mozilla's update clashing with a fix from MS, but that it turned out that mozilla had already fixed their problem. Were mozilla fixing MS OS problems, I would expect far more than a mention in passing in a paragraph at the bottom of an aticle.
The old version of RDP presented you with the target server's logon screen, so that all the authentication was handled by the server as if it were a normal desktop session and RDP was essentially transparent. New versions of the RDP make you authenticate before any connection has been made (unless you've switched that off). Either way, there is no unconditional access allowed, unless you've hacked the registry to allow it.
Anyone else experiencing very very slow page loads in IE9 on Vista after applying the patches issued yesterday? Rolled back my laptop after applying yesterday's patches and IE9 returned to its usual response times. Installed the patches again today and back to slow page loads. I'm talking about a minute to load a page that previously took a couple of seconds. Happens with all sites I visit.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
