Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software Security Microsoft IT

New Batch of XP SP2 Holes 274

terap writes "Microsoft has acknowledged that it is working on a patch for a potentially serious security hole in the 'Remote Desktop' feature. It affects fully patched versions of Windows XP Service Pack 2, even with the integration firewall turned on. There is a possibility this could lead to code execution attacks."
This discussion has been archived. No new comments can be posted.

New Batch of XP SP2 Holes

Comments Filter:
  • Hardware Firewall (Score:4, Insightful)

    by ForumTroll ( 900233 ) on Saturday July 16, 2005 @11:38AM (#13081654)
    Seriously people they're cheap as hell and much superior to anything you're going to get from Microsoft on a software level. Just close all ports on the hardware firewall, except the few that you need, and try to keep your computer updated. It's really a very simple process and can save you tons of time in the end.
    • I have been battling with this exact problem for ages with one of my friends. Instead of reformatting/virus cleaning/spyware cleaning he'd rather just buy a whole new computer. He is currently on his 4th computer, but refuses to buy a $10 hardware firewall. These are not the cheap computers we buy and put together either, its the overpriced HP computers. The other reason why I do not want to touch his computer is this: One of my other friends brought over a NAV 9.0 CD and installed it, it detect a vir
      • Nice friends you have. Sounds like a complete asshole to me.
      • Re:Hardware Firewall (Score:3, Informative)

        by X0563511 ( 793323 ) *
        Sounds like you need to break in and teach his ass a lesson.

        Start with changing his wallpaper to a large font message saying "YOUR A DUMBASS! YOU CALL THIS SECURITY? SCREW YOU !"

        Leave it alone for a few weeks, see if he tries to change his ways. If not, keep the torment going. Hidden VNCs are nice.
      • Sounds like a good supplier of cheap hardware if he just buys to cure a virus/spyware/trojan infestation - reformat hard drive and start over from scratch properly.
    • There is no such thing, an affordable software firewall, there all software.

      Just is they sometimes come in a box, any NAT firewall will help you a very great deal.

      Get some NAT and 99% of the problem goes away and some new problems arise ofcourse (games, voip, whatever, some VPN's, all get more complicated). ;-)
    • by awkScooby ( 741257 ) on Saturday July 16, 2005 @11:59AM (#13081766)
      A hardware firewall is good advice for a home user, but isn't as good a solution for a big company or university where Remote Desktop is used as a support tool. Sure, there will be corporate firewalls which protect desktops from the Internet, and maybe even from some other internal networks, but all it takes is one worm on someone's laptop to bypass the corporate firewall(s).

      I'm curious as to whether 3rd party software firewalls for windows are impacted by this or not. If not, then this hole (and others which are likely to follow) would provide a good justification for purchasing and deploying a 3rd party solution.

      • It's nothing to do with the firewall, the exploit is in rdesktop. The firewall allows incoming rdesktop connections by default (iirc), hence the "even with the firewall on" comment.

    • It's worth remembering that just having a firewall does not protect you from everything. All it does is basic protection. If you allow RDP from any source through your firewall, then you are still vulnerable to any RDP exploit. The firewall is not protecting the traffic, only the TCP connection. If you really want to be protected, use a firewall for NAT only, and do not map any ports back to your inside box. Or unplug your box from the 'net altogether.
      • I don't like forwarding/opening too many ports, it leads to too many potential vulnerabilities even if you're all patched up.

        I only forward the required for public use (http/ftp), then everything else (lots of it) is only accessed over a VPN connection.

        It's not as secure as being unplugged, but it's better than being wide open. It's a reasonably secure setup imho.
    • If you are using a router to share an internet connect, it probably has a firewall on it that you can enable.
    • And ofcourse, in this case, it would solve nothing since it's not the firewall that is the problem but a flaw in remote desktop.

      The solution is for people to not open up these services to the internet and to use a VPN solution like OpenVPN which is *free* and *opensource*.
  • Firewall too? (Score:5, Interesting)

    by peawee03 ( 714493 ) <mcericks AT uiuc DOT edu> on Saturday July 16, 2005 @11:39AM (#13081656)

    Isn't a firewall supposed to block incoming connections unless specifically allowed? So how can this flaw with RD still affect it with the firewall turned on? TFA doesn't make much of a mention of this.

    • Re:Firewall too? (Score:3, Informative)

      by minus_273 ( 174041 )
      windows firewall opens a port for rdesktop by default
      • Re:Firewall too? (Score:3, Informative)

        by kayen_telva ( 676872 )
        no, it does not [mvps.org]
        well, kind of [wown.com]

        it opens a port for remote desktop IF you enable remote desktop.

        so, the question is, does this exploit affect xp sp2 if rdp has never been enabled ?
        • it opens a port for remote desktop IF you enable remote desktop.

          so, the question is, does this exploit affect xp sp2 if rdp has never been enabled ?


          I guess that all depends on whether there is a vulnerability on "Remote Assistance" as well. Since "Remote Assistance" is enabled and unblocked in the firewall by default.
    • Re:Firewall too? (Score:3, Insightful)

      Maybe you could explain how remote desktop could listen for incoming connections without an open port.
    • Re:Firewall too? (Score:2, Informative)

      by Cruithne ( 658153 )
      When you turn RD on in windows, it automagically opens the required port (3389) with windows firewall for you.
  • Honestly (Score:2, Interesting)

    by ZakuSage ( 874456 )
    Why would anyone turn Remote Desktop on unless they know specifically that they're going to use it? The very name of it makes it sound like it's a problem waiting to happen. Even though I use Linux, I made a note of making sure any Remote Desktop feature was disabled.
    • Remote Desktop is definitely a security risk. It seems to me that if you plan on accessing your home machine remotely, it would be wise to put it behind your router/NAT/firewall and never port forward to it. Then setup a VPN connection to your home network and connect that way. Naturally, the trouble is that if you are not tech savvy, setting up VPN is not something that is trivial. (Well, maybe if you have a Linksys WRT54G and patch it with one of those 3rd party firmwares, it might not be so bad...)
  • Who thought really that there was a miracle at Microsoft? Look at all the holes Win Xp, SP1, had, who isnt suprised seeing that MS didnt have major holes in SP2. I doubt they went to the root of the problems with security in regards with their products at MS.
    • Actually its a moderately critical [secunia.com] flaw. You are at risk only if you have enabled Remote Desktop, and are not using NAT.

      Remote Desktop is disabled by default in every version of XP. Including SP2.

      To be clear. The bug is in Remote Desktop not the Firewall. A denial of service [cert.org]. The Firewall has an exceptions for Services like RDP, FTP, WWW, POP3 nearly all Firewalls have this except the most basic.

      Given that slashdot has been reduced to trolling about moderate flaws in windows, i would say SP2 is a great
  • by intmainvoid ( 109559 ) on Saturday July 16, 2005 @11:41AM (#13081676)
    That'd be longhorn then.
  • by morgan_greywolf ( 835522 ) on Saturday July 16, 2005 @11:42AM (#13081680) Homepage Journal
    Does this perhaps affect other implementations of RDP, like the one included with Gnome?
    • I just wonder how this is modded Interesting? Because of preemptive 'bashing' - 'Hey, open source got the same bug too'? AFAIK GNOME does include RD based on VNC. Microsoft Remote Desktop is totally different game and protocol.
    • There's no RDP server in GNOME, just a client. [gnomepro.com] I don't even think the client is included in a stock GNOME installation, but some distros add it.
    • while people talks about remote-desktop there's a kernel hang there, so it's probably a tcp/ip related flaw, not tied to "remote desktop" particularly (my 2 )
      • Well, Remote Desktop creates new instances of the Win32 subsystem and the kernel objects (like file system and registry mount points, named pipes, the list goes on). Also, I guess that the actual translation of keyboard and mouse events from the TCP/IP stream to input to Win32K is done through a kernel module.

        Not to forget the authentication. There's some stuff in creating/destroying sessions that affects the kernel, to some degree. So, no, I wouldn't expect the TCP/IP stack itself. Maybe keyboard/mouse in

  • More and more (Score:2, Insightful)

    by mfloy ( 899187 )
    It must seem like a losing cause for all the patchers at Microsoft, every time they fix one hole 3 more pop up.
  • by Anonymous Coward on Saturday July 16, 2005 @11:46AM (#13081698)
    I use Remote Desktop quite often, it can be very useful and it's more transparent and efficient than PcAnywhere.

    What i do is change the port that RDC uses, from the standard 3389 to a unique port. To do this, go to registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\TerminalServer\WinStations\RDP-Tcp\PortNumber
    change the decimal value, and reboot.
    • This is security by obscurity. Any script kiddie with a port scanner is going to get around this naive hack.
      • Actually, I do the same thing. And yes, if someone is deliberately scanning all ports on your computer (which takes a significant amount of time) they will find it.

        What it does, however, is prevent another code red or blaster worm style worm from finding me, since such worms aren't going to be scanning all ports and analyzing what each port does. That would be far too slow fo such worms that work primarily by infecting lots of machines very quickly.

        In this case, "security by obscurity" works pretty well
    • I run RDP to connect to my home computer from "the road", laptop, office, friend's houses, etc.

      Changing the port is a good idea, but then how do you connect to it? The RDP client doesn't have a PORT option.
      Or does this only work on clients you control (like your laptop) and can fiddle with the registry on?

    • by lheal ( 86013 ) <{moc.oohay} {ta} {9991laehl}> on Saturday July 16, 2005 @12:27PM (#13081924) Journal

      That's not even a first line of defense. OK, so you get past people scanning your whole /16 for open port 3389. But

      nmap -v -sV -O your.box.net
      will reveal that port running RDC on your.box.net the same as if it were on the default 3389.

      Keep in mind that unusual results draw more attention. You want to be invisible, or at least, to look like as many others as possible.

      • While you are correct that a human hacker would still be able to find out what port RDC is running on, and then proceed exploit it (if there is an exploit), changing the port will still protect from automated worms that would just go for port 3389 and try to do their exploits.
      • by tyler_larson ( 558763 ) on Saturday July 16, 2005 @08:47PM (#13084521) Homepage
        That's not even a first line of defense.

        Actually, it's a wonderful first line of defense. In fact, it's a wonderful procedure to follow for all remote access (if possible) because of two main reasons:

        First, you're safe from worms. That's not an insignificant thing. The vast majority of all attacks (especially against Windows boxes) are perpetrated through some automated process--worms or other malware. These programs generally don't waste time doing in-depth scans of computers. If you're configured differently than the rest of the flock, you're not worth the time.

        Second, you're safe from casual portscans. My own servers are scanned at least 20 times a day, and often over a hundred. To save time, these scans only hit the "interesting" ports. If you don't look immediately interesting, you'll just be passed by.

        That whole bit about keeping the default setup to avoid extra attention is a bunch of BS. There's nothing terribly suspicious about running a service on a non-standard port. Furthermore, it doesn't matter how interesting or uninteresting a host appears. If you're configuration is exploitable, you'll be exploited when discovered. And if you look just like everyone else, well then everyone else will be exploited too.

        There is no strength in numbers, and there is no real strength in solitude. But if you can avoid detection, then you've avoided an attack. That's like hiding your valuables to avoid theft: It's not a reliable defense, but it's simple and works often enough to make for a reasonable precaution.

  • Heh (Score:5, Funny)

    by mcc ( 14761 ) <amcclure@purdue.edu> on Saturday July 16, 2005 @11:47AM (#13081704) Homepage
    The software maker's confirmation follows public disclosure of the vulnerability by a private security researcher who goes by the moniker "badpack3t."
    I'm sorry, I can't read past that point in the article. I'm laughing too hard.
  • by AtariAmarok ( 451306 ) on Saturday July 16, 2005 @11:47AM (#13081706)
    It has been years now, and Microsoft's solution to plugging this has never worked. How about an entirely new approach [slashdot.org]?
  • by PakProtector ( 115173 ) <cevkiv@@@gmail...com> on Saturday July 16, 2005 @11:55AM (#13081746) Journal

    Father: They told me I was daft to build Windows, but I built it anyway! It was full of flaws and suffered horrible exploits.

    Father: So I built another Windows! It was full of flaws and suffered horrible exploits.

    Father: So I built a third Windows. It was full of flaws and suffered horrible exploits and the Remote Desktop Feature could be hijacked causing it to crash.

    Father: So I built a Forth Windows! And it had DRM! And that's what you're going to be inheriting lad! The most bloated, useless feature, locked-out OS in these here lands!

    Son: But mothe-

    Father: I'm your father!

    Son: But father... I don't want any of that.

    Father: Well what do you want?!

    Son: I want... something... bug free... and... fre-...

    Father: Hey! Hey, now! They're be none of that!

  • I say medium at best... 1) Few corporate workstations have RDP enabled.
    2) Few corporate environments allow anonymous access to RDP (or Teminal Services).
    3) RDP isn't enabled on XPSP2 by default to begin with.
    4) There's no reason to believe this vul would allow remote code execution at this point.
    • We force RDP on all our workstations through group policy. It would be sort of like the stone ages to have to walk to each desktop to support it, don't you think?

      Every company I've worked at has done this.
  • DOS-attack (Score:4, Informative)

    by jiushao ( 898575 ) on Saturday July 16, 2005 @12:09PM (#13081821)
    No need to blow this out of proportion; from the article:

    In an advisory posted at SecurityProtocols.com, the researcher described the issue as a remote kernel denial-of-service flaw affecting XP SP2, with the default firewall turned on.

    I know Slashdot loves to hold Microsoft to golden standards, but a DOS-attack in a not overly important desktop daemon is hardly huge news. At the very least it happens to a lot of OS's a lot of the time.

    • OTOH, I would imagine there are more servers running terminal services (essentially the same). Hopefully, that's generally through VPN or with source address restrictions in place.
  • The idea behind any firewall is to prevent unauthorized access and to alert the user when such access might be taking place. Microsoft is not about to second guess any of its own services, because clearly they are benign, their firewall has been known to let their own services traffic through without being second guessed. Even with all them service packs, it's entirely possible for an exploit in any area of their OS, and their remote desktop is no exception.

    Why is microsoft so willing to let their customer
  • by msbsod ( 574856 )
    Your IT staff loves security holes. It gives them an important task, they get paid and with every patch they install they know the software keeps them busy and employed for a long time. The PC users in your organization or company are also happy, because someone takes care of their PC's. While the PC is down you can even chat an hour with your colleague. And the executives are proud that they have everything under control. Everybody feels good.
    • Your IT staff loves security holes. It gives them an important task, they get paid and with every patch they install they know the software keeps them busy and employed for a long time.

      I wonder if Microsoft includes patching and rebuilding as part of their TCO? Most I/T professionals hate patch runs as when the patches break things they get the blame. If they don't patch, they get hacked/wormed and they get the blame. The real solution is get a more secure OS and remove excess user control on the de

  • Hmm (Score:2, Interesting)

    by LooseChanj ( 17865 )
    How exactly is this one problem a "batch"?
  • by b00m3rang ( 682108 ) * on Saturday July 16, 2005 @12:27PM (#13081919)
    then RDP into my desktop machine. If only one of the two systems is vulnerable to a particular attack, you still won't be able to get into both (or either) system.
  • Seriously, get a WRT54G and load a custom firmware image that includes a PPTP VPN server or you could do it with SSH.

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...