March 13, 2012

Microsoft today released updates to sew up at least seven vulnerabilities in Windows and other software. The sole “critical” update in the bunch patches a particularly dangerous flaw in all supported versions of Windows that allows attackers to seize control over vulnerable systems remotely without authentication.

The critical update plugs two security holes in Microsoft’s Remote Desktop Protocol (RDP), a service that is designed to let administrators access Windows systems remotely over a network. The saving grace for these vulnerabilities — which are present inΒ Windows XP, Vista and 7, and Windows Server 2003, and 2008 — is that RDP not enabled by default on standard Windows installations. That means it is far more likely to be a threat to businesses than to consumer systems.

“It needs to be configured and started by the system’s owner, which then makes the vulnerability accessible; consequently we expect that only a relatively small percentage of machines will have RDP up and running,” said Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys.

Dave Marcus, director of advanced research and threat intelligence at McAfee Labs, said this bulletin should be considered a top priority, noting that Microsoft has rated its “exploitability index” as 1, meaning that Microsoft expects working exploits to be available in fewer than 30 days.

“An unauthenticated remote code execution is pretty much as bad as it gets,” Marcus said.

For users and organizations that need time to evaluate the RDP patch before installing it, Microsoft has developed and released a FixIt tool to enable “Network-Level Authentication,” which according to the company is an effective mitigation for this issue.

The remainder of today’s updates address three other Windows vulnerabilities, and problems in Microsoft Expression Design and Microsoft Visual Studio.

For a breakdown of the patches, see Microsoft’s Security Bulletin Summary for March 2012. The fixes are available through Windows Update. As always, if you experience any problems or issues updating, please leave a note about your experience in the comments below.

28 thoughts on “RDP Flaws Lead Microsoft’s March Patch Batch

  1. Barry

    Unbelievable. 3389 is the one port I have open on the majority of my clients for remote desktop. Thanks for getting the word out.

    1. Neej

      Im surprised youve left it at the default of 3389 tbh

  2. PJ

    Hi Brian,

    I think you missed the end of a sentence:

    “…Microsoft has developed and released a FixIt tool to enable authentication for”

    Love the blog regardless πŸ˜‰

  3. Daniel

    “is that RDP not enabled by default on standard Windows installations.”

    This is true but it’s worth noting that some malware and especially Trojans will attempt to turn on RDP without the user knowing. I don’t like the casual attitude “no worries, it’s not turned on by default.” Yeah, well when was the last time you checked, on your computer?

    1. SFdude

      ok –

      so how can I
      easily and definitely check,
      if RDP is turned ON or OFF
      on an XP PRO-SP3 pc?

  4. JCitizen

    This is good, but I suspect some of my clients will continue to be attacked through RDP, as it is almost impossible to permanently disable in ‘Home Premium’ version of Win 7 x64.

    I sometimes wonder if it is the OEM doing this, as I haven’t been able to stop this on one HP desktop. I am resigned to locking the hard drive with a solution that works similar to steady state. We will see.

    If this patch puts one more hurdle in front of the criminal; I’m all for it.

    1. BrianKrebs Post author

      I assume you’ve tried disabling the RDP service from services.msc on Win 7? (Start, type services.msc and scroll down to the Remote Desktop Protocol listing and right click for service options start/stop/manual/disabled, etc)

      If so, are you saying this does not turn off the vulnerable service? Thanks.

      1. JCitizen

        Yes Sir; I have, but thank you for the advice, as others may need it. I think this machine is either spiked with an advance persistent threat, or was so by the refurb company that rebuilt it for HP. The client may be re-acquiring this during operation of course.

        It just goes to show, you never know where the criminals may come at you – some times they are already on the machine, when you buy it!! I’ve had similar problems with new Dell machines, but using the factory diagnostic utilities on the hard drive seems to wipe out the APTs there; also re-flashing the drive controller made a difference in that particular instance.

        It really gripes me no end that they don’t make a bios firmware that can be re-flashed; I’m not up to hacking the firmware file so that it will replace itself with the same version number.

        The criminals seem to have the ability to change policy on the machine to force RDP back on the machine, and they even put a spate of bad root certificates on board to help redirect the victim to fake Microsoft sites that place more malicious malware on-board instead of updates through the regular MS updater. Running as standard account doesn’t help, they have policy control already. This despite the fact that this is a Win7 Home Premium version, with no built in Group Policy object in the MMC. I think they must be using a snap in that does this function already.

        I always wipe and re-install with the hidden account totally disabled and password protected, and this didn’t even dent them! I’m beginning to suspect the Cyberlink DRM has been hijacked and has the upper hand in everything on the machine. So much for having a blu-ray – not even worth the trouble.

  5. Michael

    Remote Assistance connections are different – I assume this is not affected by the flaw? Might that be next? I think it is enabled by default.

    1. Doug

      Remote assistance is vulnerable – according to MS: under mitigating factors it says: “By default, the Remote Desktop Protocol is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk. Note that on Windows XP and Windows Server 2003, Remote Assistance can enable RDP.” And I think you are right – it is enabled by default.
      Can someone please confirm that is true?

      1. Doug

        To clarify:
        I’m asking if someone can confirm remote assistance is enabled by default?

        1. Daniel

          On Win 7 Remote Assistance is enabled by default but RDP is not.

  6. Michael

    It sounds like Remote Assistance can turn on RDP, but only if there’s a successful Remote Assistance connection going on, and that doesn’t appear to be possible through this flaw. That’s just me speculating, though.

    1. Doug

      Daniel & Seymour B – thank you for the confirmation. Michael, I noticed when using the remote assistance to logon to another machine I had to change the port to the same port that Remote Desktop was using (always change the default port as suggested above) before I could connect – confirming remote assistance is using the same protocol. But you may be right – to activate the remote assistance an invitation is sent from the machine wanting assistance, perhaps this turns on the service. Still, if you are not using this feature, still think it would be best to disable it. Brian has provided directions above to disable RD, in XP the same Remote tab has the remote assistance dialog.
      Thanks again, Brian, always read your column, great work!

      1. PB

        I, too, found Remote Assistance enabled as Doug described, in my case on an XP Pro SP3 machine.

        I disabled it. In the lack of further detail — perhaps even in spite of any reassurance that might be issued — I figured “better safe than sorry”. Given the other descriptions of it being able to enable RDP and/or its running on the same port, well…

  7. JCitizen

    I suspect some criminals may be using their own RDP solution, much the same way some folks install GoToMyPC on their machines, except this is an unwelcome intruder doing his/her dirty work.

    Victims would acquire these files the same way they catch all infections on their PCs. Unless pre-installed!

  8. merketing

    Scaring people out of previous windows version before the launch of the new windows 8, how interesting

  9. kooberfacer

    Hmm, why are we redirecting support to India?Beause its cheaper?Well thats what you get for being cheap.

    Cmon ,you cant tell me folks here in North America cant do these jobs?Yknow people who speak english for customers who speak english.
    Egads ! what a novelty!

    1. kooberfacer

      Sorry Mr Krebs , this post belongs under Avast/Iyogi comments.

  10. veekay

    I have been facing major issues with random freezing (severe lockups; not even CTRL+ALT+DEL working) and abnormal painfully slow bootups with my Windows 7 64-bit system, after Microsoft’s recent critical patches (March 17 updates).

    Has anyone else been facing the same issue??

    The problem doesn’t occur, if I reboot into safe mode, and I don’t face the lockups if I do a system restore to a point prior to these critical updates installation.

    I understand these patches are needed to plug some severe holes with recently discovered vulnerabilities (including the RDP exploit vulnerability), so I am concerned about whether I should still connect to the internet, as I still don’t see an official fix from MS for these severe issues with these critical new patches?

    1. JCitizen

      I assume you checked your update install history to make sure they actually didn’t fail. If they did – Microsoft will help you with the problem even if you don’t have a retail version of your operating system. If the history is good; you could try doing a clean boot and loading one or more startups at a time to see which one is causing the problem.

      It is not unusual to end of having to reinstall some applications or drivers after a major update. Hopefully it isn’t malware related.

Comments are closed.