Microsoft discontinues RDCMan app following security bug

Microsoft recommends using the Windows in-box remote desktop client (MSTSC) instead.

Microsoft down

Microsoft has discontinued this week its Remote Desktop Connection Manager (RDCMan) application following the discovery of a security flaw.

As its name suggests, the app allows users to connect remotely to other Windows computers via RDP (Remote Desktop Protocol).

The app, which was developed by the former Windows Live Experience team for their internal use, has been available for download from the Microsoft website since the late 2000s.

RDCMan was always a standalone tool, not included with Windows OS versions, yet, it gained a lot of traction with system administrators in the late 2000s and early 2010s, when there weren't that many tools of its kind available online for free.

RDCMan

RDCMan

Microsoft kept the tool up to date across the years, even reaching v2.7 in 2014, the time of its last update.

However, RDCMan was never a fully-featured solution for remote management, and Microsoft rolled out alternative tools across the years.

This includes adding a built-in remote management tool (MSTSC) in the Windows OS itself and releasing an official Remote Desktop app on the Windows Store.

MSTSC

MSTSC

As Microsoft rolled out new tools, the company knew RDCMan's ending was coming. In a support document published last year, Microsoft told users to migrate to these two newer solutions.

Microsoft said that both of the newer tools support more features, and receive security updates on a regular basis.

However, today, there are still a lot of users who are still using RDCMan, primarily because the app has better features for managing multiple connections at once, a feature that's often used in enterprise environments.

But this week, with the release of the March 2020 Patch, RDMan's official demise came to be. Microsoft said it received a report about a new bug in RDCMan that could allow an attacker to retrieve data from an RDCMan user's computer.

"To exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file," Microsoft said in a security advisory for CVE-2020-0765.

Instead of fixing the bug, Microsoft decided to retire RDCMan, seeing no reason to revive an app that received its last update almost six years ago.

Users who continue using the app should be aware not to open any RDCMan connection configuration (RDG) files they receive unsolicited or from unknown sources.

Microsoft credited UK security researcher Ethan Sterling with finding and reporting the CVE-2020-0765 bug in RDCMan.