Microsoft patches critical Remote Desktop Protocol flaw

Businesses using Microsoft's Remote Desktop Protocol should patch a vulnerability that could allow hackers into a business system without authentication, security professionals have said

Businesses using versions of Windows from Windows XP Service Pack 3 onwards should patch a critical flaw in the software as a matter of priority, say security professionals.

Microsoft brought out a patch for the flaw on Tuesday, documented in the MS12-020 security bulletin. Hackers could use the vulnerability to take control of a computer system by sending malformed Remote Desktop Protocol (RDP) packets over the internet.

Customers who have not enabled automatic updating need to check for updates and install this update manually.

– Microsoft

Caused by the way RDP treats an improperly initialised or deleted object in memory, the bug affects Windows XP Service Pack 3, Windows XP Professional x64 Edition Service Pack 2, iterations of Windows Server 2003 and Server 2008, Windows Vista SP2, and Windows 7.

"The vulnerability itself is accessible through the network, does not require authentication and allows code execution on the targeted machine, a highly prized combination by attackers," said Qualys chief technology officer Wolfgang Kandek in a blog post.

"Microsoft has rated its exploitability index as 1, meaning that they expect working exploits to be out in fewer than 30 days," he added.

Microsoft patched seven vulnerabilities with six patches on Tuesday, according to its March security bulletin. Businesses should concentrate on patching the MS12-020 RDP vulnerability, said Kandek.

"All of your focus should be on MS12-020," said Kandek. "Within the week apply the patch on your Windows machines that are running the RDP service and are internet facing."

RDP is popular among businesses for remotely controlling Windows machines, but is not active by default, said Kandek.

"[RDP] needs to be configured and started by the system's owner, which then makes the vulnerability accessible," said Kandek. "Consequently we expect that only a relatively small percentage of machines will have RDP up and running."

Microsoft said in its bulletin that the MS12-020 patch was pushed out through automatic updates.

"Customers who have not enabled automatic updating need to check for updates and install this update manually," said Microsoft.

Microsoft also patched a denial-of-service vulnerability in RDP on Tuesday. 

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All