New Windows flaw to spark Conficker 2.0?

New Windows flaw to spark Conficker 2.0?

Summary: Microsoft is urging administrators to patch their machines after it discovered a vulnerability that could allow hackers to take complete control of PCs running Windows and potentially pave the way for the next Conficker worm or worse.


Microsoft is urging administrators to patch their machines after it discovered a vulnerability that could allow hackers to take complete control of PCs running Windows and potentially pave the way for the next Conficker worm or worse.

(Gummy Worms 9 image by Pam Junsay, CC2.0)

In the most recent Patch Tuesday bulletin, Microsoft identified a critical flaw affecting Remote Desktop Protocol (RDP), included in most versions of Windows — affected versions include Windows XP, Vista, 7, Server 2003 and Server 2008.

According to the security bulletin, the vulnerability works by "modifying the way that the Remote Desktop Protocol processes packets in memory and the way that the RDP service processes packets".

Depending on how the packets are crafted, this could allow a hacker to completely compromise the target or cause the RDP service to hang, resulting in a denial of service for legitimate users.

Although RDP is disabled by default on fresh installations of Windows, its popularity among users, especially in the enterprise space, makes it a significant and lucrative threat to hackers.

"Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days," Microsoft wrote in a blog post.

Penetration testing company, HackLabs, estimates that about 98 per cent of all Australian organisations run RDP internally, and 30 per cent have the RDP service exposed to the internet.

Fortunately, Microsoft has not yet discovered any working exploits of the hole in the wild and considers the work involved to create one to be non-trivial. This may give users time to patch their systems before an exploit is developed.

HackLabs director Chris Gatford said that a comparable vulnerability would be MS08-67, discovered in 2008, which affected Windows XP, 2000, Vista, Server 2003, Server 2008 and the then pre-beta version of Windows 7. Complete compromise of the computer running one of these operating systems was possible due to the way that Windows' Remote Procedure Call handled certain requests.

It took hackers only four days to release an exploit for MS08-67 and it went on to become a key vector of attack for several worms, including Conficker, which went on to arguably become one of top 10 viruses that changed the world. Microsoft later offered a US$250,000 reward for the arrest and conviction of Conficker's authors, but not before it hit RailCorp and ANZ Bank. It even appeared on hard drives sold by Aldi as recent as mid last year.

Workarounds for organisations that aren't yet ready to patch the remote desktop vulnerability do exist for administrators, involving the admins enabling Network Level Authentication (NLA) on Windows Vista and later platforms. Doing so means an attacker has to authenticate with the victim before it is possible to exploit RDP. However, enabling NLA will also render earlier versions of Windows, including XP and Server 2003, from being able to legitimately connect.

While XP users can use Microsoft's Credential Security Support Provider (CredSSP) to allow them to authenticate and continue to use RDP, no such support exists for Server 2003.

Topics: Microsoft, Security, Windows

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And blame the RDP team for not releasing the RDP 6.1 or 7.0 client for Server 2003.
  • Over a year ago, I forwarded countless screenshots and logs to Microsoft Support which showing Microsoft-pressed $300 Genuine Windows discs were installing (onto brand new Seagate / Western Digital hard drives) Windows operating systems were RDP was not only ENABLED by default but that the 'service' was IMPOSSIBLE to deactivate or even switch off. Doing either would result in a reboot into the Windows 'Recovery' Environment where one is insulted with the message informing you that "Windows cannot repair this system - a recent installation or driver blah blah blah..."

    Five months later, I paid $600 for Microsoft Emergency Technical support to remote access one of my corrupted systems where, for two hours, I showed them this issue above and dozens of other - equal or even more alarming - issues. I dumped them off my desktop after two hours when they were claiming to have zero knowledge of the Windows Registry.

    13 months after I informed Microsoft of this fact, and supplied mountains of irrefutable evidence, every Windows installation continues to install RDP as ACTIVATED by default. Windows XP (all service pack versions), Windows 7 (Starter > Ultimate, including SP1), Windows Server 2003, 2008, Windows 8 Developer Preview, Windows 8 beta (consumer and server) - every single Windows OS does this. I can videotape this occurring in real time - it's occurred 430 installation attempts in a row, on internal and external hard drives, in random hotel rooms on 3 continents, I even reproduced this at 37,000 feet in the air using a brand new INTEL SSD in my HP laptop and a fully-licensed, Microsoft-pressed Genuine Windows Professional disc.

    What's my point? I believe this article is insulting and a disgrace. If you disagree, challenge me to provide evidence and I can - and will - FLOOD you with that evidence. But you won't, will you? Because you're in the business of insulting deception. I'm willing to stand corrected, if - by implausible circumstance - you're not the disgrace this article all but guarantees.
    • Most versions of Windows ship with RDP installed, but the service is never enabled by default and does not accept any inbound connections. That's the advice that Microsoft has provided in its security bulletins, in its support FAQs, and has also been my experience on fresh installations of Windows.

      You may wish to test if your machine actually accepts a connection. It will refuse the connection if RDP is not running and listening for clients.

      Michael Lee (Mukimu)
  • I doubt the percentage of hosts exposed to the internet is factual considering
    • further supports that these estimations are significantly over exaggerated.