Microsoft patches critical Remote Desktop Protocol flaw

Microsoft patches critical Remote Desktop Protocol flaw

Summary: Businesses using Microsoft's Remote Desktop Protocol should patch a vulnerability that could allow hackers into a business system without authentication, security professionals have said

SHARE:
TOPICS: Security
13

Businesses using versions of Windows from Windows XP Service Pack 3 onwards should patch a critical flaw in the software as a matter of priority, say security professionals.

Microsoft brought out a patch for the flaw on Tuesday, documented in the MS12-020 security bulletin. Hackers could use the vulnerability to take control of a computer system by sending malformed Remote Desktop Protocol (RDP) packets over the internet.

Customers who have not enabled automatic updating need to check for updates and install this update manually.

– Microsoft

Caused by the way RDP treats an improperly initialised or deleted object in memory, the bug affects Windows XP Service Pack 3, Windows XP Professional x64 Edition Service Pack 2, iterations of Windows Server 2003 and Server 2008, Windows Vista SP2, and Windows 7.

"The vulnerability itself is accessible through the network, does not require authentication and allows code execution on the targeted machine, a highly prized combination by attackers," said Qualys chief technology officer Wolfgang Kandek in a blog post.

"Microsoft has rated its exploitability index as 1, meaning that they expect working exploits to be out in fewer than 30 days," he added.

Microsoft patched seven vulnerabilities with six patches on Tuesday, according to its March security bulletin. Businesses should concentrate on patching the MS12-020 RDP vulnerability, said Kandek.

"All of your focus should be on MS12-020," said Kandek. "Within the week apply the patch on your Windows machines that are running the RDP service and are internet facing."

RDP is popular among businesses for remotely controlling Windows machines, but is not active by default, said Kandek.

"[RDP] needs to be configured and started by the system's owner, which then makes the vulnerability accessible," said Kandek. "Consequently we expect that only a relatively small percentage of machines will have RDP up and running."

Microsoft said in its bulletin that the MS12-020 patch was pushed out through automatic updates.

"Customers who have not enabled automatic updating need to check for updates and install this update manually," said Microsoft.

Microsoft also patched a denial-of-service vulnerability in RDP on Tuesday. 


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • The long and short of this is that MS can only keep patching this ageing OS for so long. These Jerks in the corporate sector who don't want to spend money on upgrading are blind and foolish. Windows 7 and even Windows 8 are fantastic operating systems and I am totally sick of having to use an OS from 11 years ago when at work.
    If stupid moron I.T Managers decide that they don't want to upgrade, they need to get ready for security holes. end of story. This article isn't newsworthy.
    Drobilliard
  • Perhaps you should actually read the article properly before going into some mad rant about XP.

    "...the bug affects Windows XP Service Pack 3, Windows XP Professional x64 Edition Service Pack 2, iterations of Windows Server 2003 and Server 2008, Windows Vista SP2, and Windows 7"
    JamieKB-7ae5b
  • +1, Agree with JamieKB , read the artical before ranting on about "stupid moron I.T Managers",actually its about time Microsoft sold a tight piece of software at a reasonable cost for a change.Fool.
    coochicoo
  • Truthfully, I don't care. I'm an I.T Manager. Granted I didn't read the article particularly thoroughly, however, Microsoft sold a 'tight' piece of software (whatever that's supposed to mean) with windows 7. And if you consider what MS give you for the money, it's not that expensive really. unless your company is poor.
    Unfortunately when at work I only get a chance to glance past and make a quick comment on articles before some cretin does something stupid with a computer and I have to sort it out.

    P.S, none of this matters, I really don't give two fucks what you reckon I am. I'm 100% sure you've said things in the past that were incorrect. However I stand by my statement that IT Managers are stupid for not upgrading to 7 much much sooner.
    Drobilliard
  • Do you not think, perhaps, there are other reasons other than financial that companies have not yet upgraded to W7?

    Perhaps, as an "IT Manager" as you call yourself, you would realise there could be issues with App Compatibility that cant be fixed easily with ACT. Perhaps some companies use In-house apps that have not yet been updated to work properly with W7? Perhaps legacy drivers that may not work correctly with W7? I could go on, for a long time.

    As others said to you, you didn't even read the article, so really, shouldn't be shouting off at people, dubbing them 'morons' because they have not yet upgraded to W7 from XP. You even said you're sick of using XP when you go to work... yet you're the "IT Manager"? So.... you're a moron for not upgrading?
    a_Grn
  • Yawn... I don't dub me anything, it's my job title. and yeah, I am a moron (which I am more than happy to admit) for not covering all the computers with the upgrade policy I put in place. And obviously, when you first upgrade you want to do it in a cautious way and maybe not roll out the upgrade across all computers simultaneously (and also do your research, which I did). Obviously, some of the computers we have can't support 7 and therefore must be XP (which is what I am talking about above). If I could eradicate XP from the whole company I would in a heartbeat (which is what I am working towards at the moment).
    as for legacy drivers and in house apps (apps, not drivers), we got ours updated, and I also had the foresight when they were built to make sure they would be future-proof and didn't just cobble together a crap MS Foxpro database system.
    Companies have had 2 to 3 years to update their shit and bring it in line with modern tech standards (and longer if they bothered to try out Windows 7 pre-release), it's not my problem they haven't.
    All of these 'reasons' that you mention aren't show stopping numbers, they are things that as an IT manager you address and move with the times. That's my take, and that's why the company I work for are living in the present and my department's support calls have dropped substantially since upgrading, we also have much better in house apps that conform to modern standards and that are ready to move to windows 8 or 9 whenever I choose to start rolling that out.
    You don't like me, I can quite easily cope with that by not thinking your opinion is worth much. If your company is stuck in the past, that's your problem, not mine. Any of the half baked reasons you presented to not upgrade are only bumps in the road. By sticking with XP because it's easier, it will be a bigger and more drastic change when you finally get round to upgrading. I also wouldn't mind if an IT manager wanted to keep an older system around to run older stuff on, but there is really no actual reason to stay in the past.
    If this discussion was being held on any other article my point would be the same. If I didn't know what I was doing, I wouldn't have my job or salary. All the users of 7 are much happier and so are the MDs. That is what matters to me. I don't care about your situation.
    Drobilliard
  • You clearly do care about others situation or you wouldn't be commenting ;) Let alone the first one to comment on it.
    a_Grn
  • no, you're making the mistake of assuming I care about others situations when I actually just care about morons being in control of IT, not individuals situations singularly.
    RE: Commenting, as before, me not caring about YOUR situation or other people's situations is a totally different thing to wanting to respond to some dude who keeps hassling me and making statements that I debunk. Your situation is set apart from that. You see where I say "I don't care about your situation", That should've given it away. if I could underline and embolden the word YOUR in that I would because you clearly don't read things...oh wait, didn't you just accuse me of that?
    Drobilliard
  • Mr Happy lives in Happyland where (mostly) everyone and everything is always happy. Whenever you're down, if Mr Happy comes to visit, before long you'll find yourself cheerful again.
    Greenbank
  • "This article isn't newsworthy."

    Well it clearly is, DaveRobilliard. You said yourself that you have XP computers on the network that you claim to run - I'd be inclined to patch those PCs before someone uses them as a handy doorway onto your network and threatens to harm your beloved Windows 7 PCs.

    And before you decide to upgrade the XP computers on your fictional network, I would implore you to ask the following questions:

    • Does it add value?
    • Does it reduce cost?
    • Is it absolutely necessary?

    If you have a PC sat in the corner quietly chuntering away to itself and it is still supported, why upgrade? It's money wasted for the sake of being on the pinnacle of technology. Granted, when XP stops being supported by Microsoft and when the hardware that it's sat on stops being supported by a maintenance provider, then it's time to upgrade.

    If it ain't broke, don't fix it... In this case it's broke and the fix comes in the form of a simple patch release - stop whinging and do your fictional job.
    Drewpie
  • Windows XP came out of mainstream support 3 years ago.
    anonymous
  • But extended support ends in about 2 years... That's far more important, surely? At the end of the day, this whole article is regarding security.
    Drewpie
  • Extended support costs money, thus nullifying your money based argument for keeping XP based PC's. Why leave a machine running software which must be business critical of you are that unwilling to at least play with virtualising it sitting in the corner when it could die any minute?

    If it ain't broke, don't fix it is a great mantra as long as if it does break, you don't lose it.

    Thats before you even factor in any increased costs due to higher power consumption (god forbid that PSU decides to give up the ghost) due to age, lost man hours caused by ever decreasing performance (if it ain't broke, don't fix it - right?), not to mention the frustration caused to staff by the user perception of the machines performance compared to their nice shiny i5 windows machine with 8 times the RAM, and their 7200RPM hard drive compared to the 4200RPM one in their trusty old reliable (?) XP machine.

    It may not be broken, but a good IT manager should be proactively be at least in the back of his mind looking into fixing the application compatibility problems.

    Of course a good and proactive IT manager wouldn't be writing off news of a patch for a major security flaw in an industry wide heavily used piece of software as "unnewsworthy" either... ;o)
    anonymous