New Batch of XP SP2 Holes

terap writes "Microsoft has acknowledged that it is working on a patch for a potentially serious security hole in the 'Remote Desktop' feature. It affects fully patched versions of Windows XP Service Pack 2, even with the integration firewall turned on. There is a possibility this could lead to code execution attacks."

Hardware Firewall

[ForumTroll]

Seriously people they're cheap as hell and much superior to anything you're going to get from Microsoft on a software level. Just close all ports on the hardware firewall, except the few that you need, and try to keep your computer updated. It's really a very simple process and can save you tons of time in the end.

Re:Hardware Firewall

[awkScooby]

A hardware firewall is good advice for a home user, but isn't as good a solution for a big company or university where Remote Desktop is used as a support tool. Sure, there will be corporate firewalls which protect desktops from the Internet, and maybe even from some other internal networks, but all it takes is one worm on someone's laptop to bypass the corporate firewall(s).

I'm curious as to whether 3rd party software firewalls for windows are impacted by this or not. If not, then this hole (and others which are likely to follow) would provide a good justification for purchasing and deploying a 3rd party solution.

Re:Hardware Firewall

[HairyCanary]

It's worth remembering that just having a firewall does not protect you from everything. All it does is basic protection. If you allow RDP from any source through your firewall, then you are still vulnerable to any RDP exploit. The firewall is not protecting the traffic, only the TCP connection. If you really want to be protected, use a firewall for NAT only, and do not map any ports back to your inside box. Or unplug your box from the 'net altogether.

Same old cat but just in boots

[soman]

Who thought really that there was a miracle at Microsoft? Look at all the holes Win Xp, SP1, had, who isnt suprised seeing that MS didnt have major holes in SP2. I doubt they went to the root of the problems with security in regards with their products at MS.

Re:I Never Use Remote Desktop

[KiloByte]

Good advice.
I'll go and scrap ssh, vnc and X then.

More and more

[mfloy]

It must seem like a losing cause for all the patchers at Microsoft, every time they fix one hole 3 more pop up.

Re:Firewall too?

[Henry+V+.009]

Maybe you could explain how remote desktop could listen for incoming connections without an open port.

Re:don't use the standard RDC Port

[jmking1]

This is security by obscurity. Any script kiddie with a port scanner is going to get around this naive hack.

Re:Oh great, another Microsoft bug story

[Izago909]

I find it funny the editors are probably pushing their thirties, yet still act like 5 year olds toward a billion dollar corporation that has contributed more and done more for the world than they can ever hope to.

I agreed with you up until this point. I can't remember the last time MS went out of the way for philanthropic motives. Everything they have ever done has self-serving purposes. That's the way business works in a capitalistic society. Remember their settlement with the state of California? They gave vouchers and coupons for their software to schools as a settlement in the states anti-monopoly case. Whenever they have committed a true act of charity, the PR department is quick to flaunt it to every news agency around as if they can buy back a positive public image.

There are two main reasons that everyone loves to beat on MS. The first being their propensity to play the game of business by the dirtiest means possible. The second is how quickly they cry foul when anyone uses their own dirty tactics against them. Also, lets not forget the most important thing: you are now posting on a website owned by the "OPEN SOURCE DEVELOPMENT LABS". Seeing as how MS is enemy #1 of open source, I don't understand how you expect anything but MS bashing here. Personally, anytime I hear someone kissing Microsoft's ass, I can't help but think that they don't understand business ethics, or perhaps, live in a velvet cage.

I do.

[ichigo+2.0]

And until someone ports iptables to windows or I upgrade to a hardware firewall, I'm going to go on using it. All the other firewalls available for windows are disgustingly bloated crippleware, and I'll rather take my chances with windows built-in firewall than have yet another program slow up my computer at startup and add another-annoying-systray-icon(TM).

Remote Desktop? Meh.

Re:don't use the standard RDC Port

[lheal]

That's not even a first line of defense. OK, so you get past people scanning your whole /16 for open port 3389. But

nmap -v -sV -O your.box.net

will reveal that port running RDC on your.box.net the same as if it were on the default 3389.

Keep in mind that unusual results draw more attention. You want to be invisible, or at least, to look like as many others as possible.

Re:Oh great, another Microsoft bug story

[Klaus+Obermeyer]

"As a business owner, I understand ethics pretty thoroughly."

And we all know the paragon of Ethics the business world is.

Honestly though, you may very well be an ethical person, but your status as a businessman is hardly related to such.

"However, most OSS zealots have no clue. Most OSS zealots are more than happy to side with the gov't when they think it's somehow at their advantage (anti-trust against MS), and slam the gov't for it's stupid laws when it's at their advatage to do so (DMCA, IP laws, etc.). It's completely arbitrary and generally pretty damned uninformed."

So, in your world one must either agree with everything the government does or disagree with everything it does?

Perhaps someone could believe in the enforcement of fair trade and the maintenance of a level playing field (one aspect of government) while still being in favor of curtailing the government's ability to intrude upon a person's privacy. You seem like an intelligent person though so I won't go on, suffice it to say that people's actions wouldn't seem as arbitrary if you took a minute to understand their motivations and beliefs.

Re:don't use the standard RDC Port

[tyler_larson]

That's not even a first line of defense.

Actually, it's a wonderful first line of defense. In fact, it's a wonderful procedure to follow for all remote access (if possible) because of two main reasons:

First, you're safe from worms. That's not an insignificant thing. The vast majority of all attacks (especially against Windows boxes) are perpetrated through some automated process--worms or other malware. These programs generally don't waste time doing in-depth scans of computers. If you're configured differently than the rest of the flock, you're not worth the time.

Second, you're safe from casual portscans. My own servers are scanned at least 20 times a day, and often over a hundred. To save time, these scans only hit the "interesting" ports. If you don't look immediately interesting, you'll just be passed by.

That whole bit about keeping the default setup to avoid extra attention is a bunch of BS. There's nothing terribly suspicious about running a service on a non-standard port. Furthermore, it doesn't matter how interesting or uninteresting a host appears. If you're configuration is exploitable, you'll be exploited when discovered. And if you look just like everyone else, well then everyone else will be exploited too.

There is no strength in numbers, and there is no real strength in solitude. But if you can avoid detection, then you've avoided an attack. That's like hiding your valuables to avoid theft: It's not a reliable defense, but it's simple and works often enough to make for a reasonable precaution.