Slashdot Mirror
New Batch of XP SP2 Holes
terap writes "Microsoft has acknowledged that it is working on a patch for a potentially serious security hole in the 'Remote Desktop' feature. It affects fully patched versions of Windows XP Service Pack 2, even with the integration firewall turned on. There is a possibility this could lead to code execution attacks."
I have had it disabled since day one. Just the idea of "remote desktop access" sounds like a security problem waiting to happen.
Seriously people they're cheap as hell and much superior to anything you're going to get from Microsoft on a software level. Just close all ports on the hardware firewall, except the few that you need, and try to keep your computer updated. It's really a very simple process and can save you tons of time in the end.
"A Lisp programmer knows the value of everything, but the cost of nothing." - Alan Perlis
Isn't a firewall supposed to block incoming connections unless specifically allowed? So how can this flaw with RD still affect it with the firewall turned on? TFA doesn't make much of a mention of this.
I wish I could write clever and witty sigs.
Why would anyone turn Remote Desktop on unless they know specifically that they're going to use it? The very name of it makes it sound like it's a problem waiting to happen. Even though I use Linux, I made a note of making sure any Remote Desktop feature was disabled.
Seriously, it's funny how any bugs or exploits related to Microsoft products get the front page derogatory treatment on slashdot, and any other vulnerabilities from Linux, Apple, etc don't get the same sensationalistic coverage.
Considering that slashdot is a Linux-centric site, what's the reason for posting all this Microsoft minutiae? Doesn't everybody here run Linux, so it's irrelevant to the readership?
I find it funny the editors are probably pushing their thirties, yet still act like 5 year olds toward a billion dollar corporation that has contributed more and done more for the world than they can ever hope to.
Who thought really that there was a miracle at Microsoft? Look at all the holes Win Xp, SP1, had, who isnt suprised seeing that MS didnt have major holes in SP2. I doubt they went to the root of the problems with security in regards with their products at MS.
...uses the integrated firewall? Seriously, get yourself a real firewall. And unless your life (or job) depends upon it, you shouldn't be using remote desktop, either.
you mean L.I.N.U.X MacOS X is slow when compared to L.I.N.U.X :)
Apple ain't better than Microsoft.
That'd be longhorn then.
Drag n' Drop DVD Recommendations
Bwaaa Haaaa Haaaa Hooo hoo hee...
Some people are like slinkys. They're useless, but it puts a smile on your face to push them down the stairs.
Does this perhaps affect other implementations of RDP, like the one included with Gnome?
My blog
Because there's a few thousand of us who like to know when we have gaping holes in security?
It must seem like a losing cause for all the patchers at Microsoft, every time they fix one hole 3 more pop up.
Voice your opinion!
Ah! Here come the non-stop anti microsoft flames? WHAT CAN WE DO?? Oh yeah, I can ignore them like I always do.
I use Remote Desktop quite often, it can be very useful and it's more transparent and efficient than PcAnywhere.
o l\TerminalServer\WinStations\RDP-Tcp\PortNumber
What i do is change the port that RDC uses, from the standard 3389 to a unique port. To do this, go to registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
change the decimal value, and reboot.
Well bookies are longer allowing bets if there will be a new vulnerability discovered each week but how many.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
It has been years now, and Microsoft's solution to plugging this has never worked. How about an entirely new approach?
Don't blame Durga. I voted for Centauri.
does this affect Windows 2003?
You must be new here.
You mean OS/X
http://home.anders1.org/xp-sp2-remote.jpg <- mirror
Father: They told me I was daft to build Windows, but I built it anyway! It was full of flaws and suffered horrible exploits.
Father: So I built another Windows! It was full of flaws and suffered horrible exploits.
Father: So I built a third Windows. It was full of flaws and suffered horrible exploits and the Remote Desktop Feature could be hijacked causing it to crash.
Father: So I built a Forth Windows! And it had DRM! And that's what you're going to be inheriting lad! The most bloated, useless feature, locked-out OS in these here lands!
Son: But mothe-
Father: I'm your father!
Son: But father... I don't want any of that.
Father: Well what do you want?!
Son: I want... something... bug free... and... fre-...
Father: Hey! Hey, now! They're be none of that!
Edward@Tomato - /home/Edward/ man woman
man: no entry for woman in the manual.
"Qua!?"
I say medium at best... 1) Few corporate workstations have RDP enabled.
2) Few corporate environments allow anonymous access to RDP (or Teminal Services).
3) RDP isn't enabled on XPSP2 by default to begin with.
4) There's no reason to believe this vul would allow remote code execution at this point.
First, the firewall. The Windows firewall is a good thing. No company worth it's salt doesn't have a border firewall, either hardware or a secure *nix machine. That said, the Windows firewall is a good thing to protect against internal attacks. It's configurable by group policy across an Active Directory domain. Thus it's a good third layer of security (the second being ACL's on the routers and switches).
As for Remote Desktop, it can be a good thing. Yes, on client machines it shoudl be disabled (via GP) however being able to use it for tech support purposes is great.
I just installed kernel 2.6.12.2 and it feels a lot snappier!
Windows® - Now with more holes than a Polo factory.
Some think the Internet is a bad thing. I just think that AOL is a bad thing.
it's even enabled by default? IIRC you've to enable it in "my pc -> preferences" in order to allow other people to use remote desktop. And...
This may include providing a security update through the monthly release process or issuing a security advisory, depending on customer needs," she added.
Fuck, what your customers want is to to get a fucking patch that fixes the fucking flaw and they want it before it hits sites like slashdot.
I have to agree. I installed debian 3.1 with the 2.6 kernel and it crashes faster and more reliably than XP does. LINUX is Superior!
In an advisory posted at SecurityProtocols.com, the researcher described the issue as a remote kernel denial-of-service flaw affecting XP SP2, with the default firewall turned on.
I know Slashdot loves to hold Microsoft to golden standards, but a DOS-attack in a not overly important desktop daemon is hardly huge news. At the very least it happens to a lot of OS's a lot of the time.
Blocking every port from 1024-65555 is unrealistic...
In fact, if you use passive FTP to download anything from the internet,
if you use MSN Messenger to transfer files or view webcams, if you transfer files by DCC via an IRC client...
or use any other application which is not port range specific.
It's a "design problem" that such application are not port range locked. It would be easier to lock the other ports.
This means that anytime you need to do such thing you have to manually open wide 1024-65535 ports and go back to normal mode after.
It would be easier if EVERY apps where somehow port range specific, just not few frequent application.
The idea behind any firewall is to prevent unauthorized access and to alert the user when such access might be taking place. Microsoft is not about to second guess any of its own services, because clearly they are benign, their firewall has been known to let their own services traffic through without being second guessed. Even with all them service packs, it's entirely possible for an exploit in any area of their OS, and their remote desktop is no exception.
Why is microsoft so willing to let their customer base get screwed time and time again with the lack of security?
There are only two reasons I can think of for remote desktop.
1) It provides a means to allow a knowledgeable friend or tech support person to temporarily control your computer in order to solve some problem you can't.
2) It allows you access to your own computer from a remote location.
Every time two computers want to activate the remote desktop feature, the computer being "dialed in" should generate a public/private encryption key pair and fire off the public key to the other computer and that is needed for the entire remote desktop session. To end the session, the private key gets tossed. In any event, there should only be two ways to allow the remote desktop feature to even be accessed beyond the point of encryption key handling. The first involves a huge nasty dialog box that states "a remote user is trying to access your deskop remotely. do you want to allow it?" and the second is through some kind of PGP signature generated before you leave the computer and is placed on a usb key or emailed or something.
If joe q public gets a new computer home, joe is not about to put much effort to secure it by turning off the unnecessary services - those services microsoft quite helpfully has enabled by default - and with a more complicated environment, the risk of security holes increases. This is especially true if joe doesn't even have the slightest clue what "remote desktop" might be.
The best shot microsoft might have to improve security is to strip the running services down to bare nuts and provide a long questionnaire - with an explanation of each service and a detailed pros/cons - allowing the user to selectively tune the box to fit their needs. You can turn off a half dozen services in xp that are enabled by default and not only are they unnecessary, but it will make the system faster and more secure.
I'm more astonished at microsoft for failing to put the greatest amount of effort into securing their OS where it really counts. By simply leaving certain services disabled where most users will never need them.
And until someone ports iptables to windows or I upgrade to a hardware firewall, I'm going to go on using it. All the other firewalls available for windows are disgustingly bloated crippleware, and I'll rather take my chances with windows built-in firewall than have yet another program slow up my computer at startup and add another-annoying-systray-icon(TM).
Remote Desktop? Meh.
Your IT staff loves security holes. It gives them an important task, they get paid and with every patch they install they know the software keeps them busy and employed for a long time. The PC users in your organization or company are also happy, because someone takes care of their PC's. While the PC is down you can even chat an hour with your colleague. And the executives are proud that they have everything under control. Everybody feels good.
now what would be interesting is having a news like "No new windows security fixes for today." That would really be a eye popper.
Well back to sleep.
What does your Credit Report look like?
Slashdot should create a small sidebar, similar to the freshmeat one, that shows all the new Microsoft patches of the day.
That would save a lot of front-page space every day from wasted headlines about a Windows or IE Patch.
Actually, it does have a port option. syntax: ipaddress:port just put a colon in, the same as when you access any webservices not running on port 80
Gravity Sucks
If you are using a router to share an internet connect, it probably has a firewall on it that you can enable.
Don't take life so seriously. No one makes it out alive.
How exactly is this one problem a "batch"?
Mix the failings of Usenet with the shortcomings of the World Wide Web and the result is slashdot.
then RDP into my desktop machine. If only one of the two systems is vulnerable to a particular attack, you still won't be able to get into both (or either) system.
Not to troll, but hasn't it been every time Microsoft introduces some innovative network-related feature, like Remote Desktop or ActiveX, it's fundamentally flawed?
:P
Makes me really anticipate Indigo
I'm sure the developers who think these things up are genuinely bright people, so I would assume it's the upper management with their "product" mentality want to rush these innovative features out the door, when they really should've been confined to serious lab testing for years before Microsoft starts touting them.
random underscore blankspace at ya know hoo dot comedy.
Micro$haft Got Willie caught in my zipper and I dunno what to do.. It hurts like a mother... I hope it happenz ta you... How much is that Longhorn "upgrade" again ?
That's what I want. Patches on your schedule.
RDC is actually very good. Sound, color, etc. I've used VNC and even over a high-speed connection I had to turn colors down, etc. Whereas RDC never needed me to turn down the colors. Plus it actually shows what your pointer looks like, not some little dot thing.
So before you bash RDC, see if you can learn something from it first.
mack a whole...
(Note to Modder: Grandparent is NOT flamebait... it has more than an element of truth to it. Even one BAD bug every 500 can have a deleterious effect upon individuals as well as Ajax-strength IT departments...)
Actually, people should be tired of playing "whack a mole" with mshaft. They should get into the "Raid-a-Mole" mode and just kill the ms CNS...yeh, just "Black Flag" mshaft...
And, to remember that back around 1995, mshaft said they'd listen to their customers and break up the monolithic structure of windows and modularize it so that fluff and bloat could be removed or never be seen in the first place... So much for them "listening to what their customers want..."
Nothing a 4"x4" shrimp bandage won't fix!
Everybody else replying to this is like "But Windows Remote Desktop Connection is in WINDOWS! WAAAAH!!" as if you can't tunnel those through ssh from a linux box. They're ON. They DO allow you remote desktop connection. Yet they're still COMPLETELY secure... IF you do it right. I'm not worried at all.
Anybody using standard ports for their personal rig is asking for trouble.
Anybody who modded the parent insightful clearly missed his cynicism.
Most unix based OS's have, years ago, patched the "new" flaws that M$ heroically pats itself on the back for patching or trying to patch today within their oh so popular piece of crap... (jpg and png library holes come to recent memory... redhat (which is traditionally LATE with their patches had those patched 3.5 and 2 years ago, respectively) but hey... why not bash Linux when your favorite $299.99 off the shelf piece of crap OS gets rooted (or is that just plain pwned?)
Its actually gamer geeks fault for getting our parents hooked on windows so we could get them to pay for a 386 with 8 megs in 1991 to play Doom on... and that comes from personal memory of my childhood... my parents didn't give a rats ass about which OS they used since they would ask me of my friends (at the time) about what to do next.
Too bad, since we could've been making more productive use of our time with a linux kernel, hacking away at that code, instead of trying to do workarounds of the buggy and expensive windows OS to try to build our network security tools and the like. Otherwise we wait years for M$ to patch things... Anyone remember the good ole Winnuke? Port 139? M$ issued a "security" patch... namely a port blocker, which was promptly circumvented the same day by roughly every hacker that ever wrote a network penetration tool.
Check out the fine usage of RPC in Windows 2000 and XP now... Microsoft makes a practice of making things insecure by default.
Remote desktop is used by a LOT of IT companies that base their entire business models around selling people Windows and then charging them to constantly "repair" damage done by those "ev1l h@x0rs" or what not (and they NEVER blame Microsoft's own lousy code and business practices for all their bad name and rep).
Those same IT people use Remote Desktop for windows to loginto various Server 2003 installs and then only charge for the time spent working (or peeing with the remote desktop logged onto) thus "saving" the time to drive to a site. Most lusers are usually too low on IQ to be able to comprehend most "type this" or "click that" instructions, so telephone support is always a living hell for those who engage in it. (Or perhaps they simply choose not to care about their computers, the same way they forget to change the oil in their cars and their engines shoot up in smoke.)
But anyways, it's always those haxors... yep. Never put the blame on shitty expensive business models designed to enrich only the support and vendor companies. (The users just get shafted into buying MORE shit that STILL sucks to patch the shit that doesn't "just work".)
For the record, I avoid using VNC, but I do like remote login features of KDM and GDM (or XDM). Link them up with SSH or Webmin/SSL/TLS and life is simple over a LAN or the internet.
In fact, this particular reply is written from a GDM (Gnome) remote login to my app server on the LAN. It is by no means slower than Windows 2003 Terminal Services was when I used it, and this machine is significantly cheaper (single CPU, AMD Athlon 1400mhz as opposed to the dual 2.4 ghz xeons at my last IT job.)) Hint, the app server also doubles as a private email server, ftpd, httpd, IRC and occasionally as a print server. Did I also mention that it runs Postgre AND Mysql without a hitch? on less than 1 GB of ram? Try THAT with microsoft's SeQueL (SQueaL?)... but as I recall, using less than 1.0 GB expressly for a M$ SQL server, ends up being a frustrating exercise in inadequacy for the foolish IT guy doing it.
~ DaedalusHKX
PS - I personally have made a practice of shelling out cash, hardware or code to OSS projects, Debian, Gentoo, OpenBSD, etc... at least this way I help people, organizations and movements that help me.
" What luck for rulers that men do not think" - Adolf Hitler
Sure, having your box lock up is annoying but are any critical systems running on Windows XP? Would any real loss occur from successful exploitation? Unlikely.
Never ascribe to malice what can be adequately attributed to ignorance. -Napoleon
Seriously, get a WRT54G and load a custom firmware image that includes a PPTP VPN server or you could do it with SSH.
I don't care about XP. What about our servers? I know a lot of Sp1 for 2003 is similar to XP SP2 code.
Is Windows 2003 Server affected?
You're an obvious troll, but what the hell - it's a slow day.
Let's see - since sanity vs. insanity is defined by the majority of the people (people "thinking" or "seeing" in a similar fashion will tend to define as "insane" people who think or see in an obviously different fashion), then I guess the 90% or so people who use Windows would beg to differ with you. They probably believe they are in their right minds, and hence could possibly have cause to believe that maybe you are not.
However, to the real issue you have rasied about "Times have changed and there is no reason anymore to use an operating system that is that insecure, prone to virues and spyware, and instable.". Let's see... We are just starting a project to replace our current crop of machines in early 2007. First thing- what OS? Is it Longhorn or something else like Linux or OSX? Every time we get some business unit suit asking us to go with Linux we (who wouldn't mind switching ourselves) ask them which of the 4,000 apps in use in the company they are willing to throw out and either buy a new version for Linux, re-write (if in-house), get a freeware community supported version, or try to make work using something like WINE.
They ALWAYS without fail just go away.
There is just NO WAY that we could make the switch at this point. Software that runs under Windows is too entrenched in our environment and purchasing, re-writing, investigating freeware, testing under WINE, etc. would cost WAY MORE than just upgrading to Longhorn as we install new machines. I mean it isn't even CLOSE. Not to mention the business delay it would cause to do all of that work investigating whether we could get a functional environment for people. Look at how many MS Office macros (yes they are evil, but they exist in large numbers) would have to be thrown out and redone. It's just huge any way you look at it.
That all said, a company just starting could probably get going with something like SuSe or RedHat (or another) with no major problems. They could start out on Open Office (2.0 is looking good). They'd probably be able to stay on it for a long time (until they merged or got bought out - that might force a change).
But for the folks with thousands of users in 180 countries that have used MS for years - there is just no way to go back now. The stockholders would kill us if we tried to spend enough money to make it happen.
"private security researcher" sounds really that much more educated and important then a mere "hacker"...
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Can people *please* start adding the processor(s) affected to security releases? Or for that matter, to hardware and software?
Does this only apply to XP on x86, or XP x64 as well?
As someone who runs a XP x64 workstation, I'm getting really tired of being ignored! Vendors list "XP" support, but never tell you if they support x64. Security mailing lists have "XP Security issues", but no one says which XP it impacts.
I'm sure myself and the handful of other users of XP x64 would really appreciate it if people started denoting which hardware platforms they support.
Driven by 100% sarcasm - fueled by the need to be heard.
...Linux and Windows security are neck-and-neck...
Pulling together is the aim of despotism and tyranny. Free men pull in all kinds of directions. It's the only way to mak
We force RDP on all our workstations through group policy. It would be sort of like the stone ages to have to walk to each desktop to support it, don't you think?
Every company I've worked at has done this.
NOT!
Look, just what would it take for Microsoft to get it right?
Does anyone really expect that Longhorn (no matter how much time they spend on it) is going to be any better?
Linux = Not Ready for Joe average's Desktop MacOS X = Ready for anyone from "Joe never had a computer before" to "Mr. I write Operating Systems for a living" Sorry, Linux is alright, but MacOS X blows any of the free un*xes away...Windows...don't get me started
You're making me horny talking about all these holes..
I have been running ZoneAlarm on Win2000 for over a year now. I know of no major problems with it. Been running it on my wife's WinXP ( home ) machine for about 6 months, again, no major problems that I know of.
emt 377 emt 4
The best definition of insanity I've ever heard:
"Doing the same thing over and over again, expecting different results."
Keep applying those patches, rebooting, reformatting, and reinstalling. Maybe someday you'll get a different result. Maybe Lamehorn will bring pie from the sky.
Best antidote for insane behavior: "Son, if you want your life to be different, start doing things differently."
If you want your life to be different, live it differently.
This is EXACTLY why you cannot just run a firewall on a box and consider yourself protected. Because a firewall is just software (even the hardware ones have firmware that runs them) and software will have flaws.
It's exactly why defense in depth is the only real approach to security, so even if a firewall is vulnerable there's nothing inside to attack. Windows XP with firewall on is just like a Tootsie Pop, one bad lick and the attacker gets all your Tootsie they like.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
X allows me to seamlessly mix windows from multiple machines on one desktop. I can even seamlessly cut and paste between them. It's so much more convenient. At work I have to context switch between whole desktops to do simple things like move the the next track on the media player.
I think that the eWeek article might be slightly off on the flaw being reported.
The DailyDave mailing list suggests that the XPSP2 bug, and the RDP flaw are the same. It will take until the second week in August before the real bug with SP2 will be announced, as declared on the Security-Protocols site.
The ISC diary is talking about port 3389 starting to attract a rise in traffic - the RDP and Terminal Services port, with earlier rumours of a 0-day having raised its head on Windows. If it is the same vulnerability as that on the security-protocols site, then we are stuck until the second week of August before the patch is released, and someone either leaked the exploit, or it was independently uncovered, but news of which hasn't reached the surface, yet.
Looking at Microsoft's own security advisories, number 904797 talks of a known Denial of Service with RDP which is awaiting a patch. Perhaps it is the same as the security-protocols site, and maybe it isn't, but Microsoft only consider it to be a Denial of Service, while the security-protocols site appears to be something which can be actively exploited.
InfoSec that matters, when it counts.
In the case at hand that's just not true. It's no more false than using strong passwords. The added time it would take for a script to TCP connect scan every single port on an entire netblock or selection of random IP addresses does give you security. Assuming you are not restricting access based on IP#, nothing is 100% secure against a brute force attack and non-standard port usage is no exception, however, it is one more substancial hurdle for the attacker to clear. Hacking strong passwords as opposed to weak ones adds to the time it takes for a successful attack. Using nonstandard ports also adds to that time.
In the case where somebody is hand-crafting an attack against your box then yes, the use of non-standard ports would be a trivial hurdle.
Yes, it gives you security through obscurity. Attacks that are susceptible to brute force can't really do much except that. That is why using an obscure password is better than using an obvious password. If you happen to know a quicker method than TCP connect scans for use against mass amounts of randomly selected targets then please, let us all know. You are correct that there are many different ways, but your presupposition that those other ways are quicker is surely wrong.