March 13 2012
Microsoft is pushing a fix today for a newly-discovered security flaw which could allow an attacker to connect to any PC running any version of Windows. They rate this as a Level 1 on their Exploitability Index (meaning that attackers will be working on malware to exploit it more or less immediately) and the fix is rated Critical (in other words, do this at once, and do it before any others).
RDP is commonly allowed through firewalls due to its utility. The service runs in kernel-mode as SYSTEM by default on nearly all platforms (except for one exception described below). During our investigation, we determined that this vulnerability is directly exploitable for code execution.
Most non-business users will receive the fix as part of the monthly Microsoft updates released on so-called Patch Tuesday (or, in the UK, Wednesday) but some users who do not have Automatic Updates enabled will be vulnerable to attackers exploiting this security weakness now that details of it have become available. These users can, and should, avail themselves of an alternative fix which Microsoft is making available.
For users and organizations that need time to evaluate the RDP patch before installing it, Microsoft has developed and released a FixIt tool to enable “Network-Level Authentication,” which according to the company is an effective mitigation for this issue.
There is a Microsoft Security Research & Defense blog post here which includes Fix-It solutions for this vulnerability. These do not require a PC to be rebooted after installation, unlike the Patch Tuesday fix.
There is something you can do to substantially reduce the risk on Windows Vista and later systems where RDP is enabled: You can enable Remote Desktop’s Network Level Authentication (NLA) to require authentication before a remote desktop session is established to the remote desktop server .....
Enabling NLA will prevent older clients (including Windows XP and Windows Server 2003) from connecting, by default. NLA will not disrupt remote desktop connections initiated by Windows Vista and later versions of Windows because they support NLA by default.
Microsoft has released an additional Fix-it tool that adds NLA support to Windows XP SP3 desktops and laptops, and this is also to be found in the blog post.
Most domestic users are likely to have Remote Desktop Protocol disabled by default, but this is something which is rarely used and so users are unlikely to know if it is disabled or not. The exception is likely to be any user who has needed to allow a remote user access to his or her machine for fault diagnosis or technical support.
Just to reiterate, remote desktop is not enabled by default and is not commonly enabled on client workstations
( but: )
We urge you to promptly apply this security update. We also encourage you to consider how you might harden your environment against unauthenticated, attacker-initiated RDP connections.
Message was edited by: Hayton on 14/03/12 05:04:05 GMT