Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Batch of XP SP2 Holes

Posted by CowboyNeal on from the yet-again dept.

terap writes "Microsoft has acknowledged that it is working on a patch for a potentially serious security hole in the 'Remote Desktop' feature. It affects fully patched versions of Windows XP Service Pack 2, even with the integration firewall turned on. There is a possibility this could lead to code execution attacks."

40 of 274 comments (clear)

  1. Hardware Firewall by ForumTroll · · Score: 4, Insightful

    Seriously people they're cheap as hell and much superior to anything you're going to get from Microsoft on a software level. Just close all ports on the hardware firewall, except the few that you need, and try to keep your computer updated. It's really a very simple process and can save you tons of time in the end.

    --
    "A Lisp programmer knows the value of everything, but the cost of nothing." - Alan Perlis
    1. Re:Hardware Firewall by macaulay805 · · Score: 2, Interesting

      I have been battling with this exact problem for ages with one of my friends. Instead of reformatting/virus cleaning/spyware cleaning he'd rather just buy a whole new computer. He is currently on his 4th computer, but refuses to buy a $10 hardware firewall. These are not the cheap computers we buy and put together either, its the overpriced HP computers. The other reason why I do not want to touch his computer is this: One of my other friends brought over a NAV 9.0 CD and installed it, it detect a virus (unknown to me which one it is at this time), then this friend is no longer allowed at the house because it was the NAV 9.0 CD that was infected, not his unpatched (to this day) Windows XP (non SP anything) non firewalled porn cahce ridden spyware infested computer which contracted the disease before. Funny stuff. This guy, which basically BOUGHT an MCP, believes he is "THE SHIT" of computer techs can't even enable the damn Windows Firewall. Funny stuff, I come around every so often to hear the lunacy of his techness, the proably make a Bash quote or two out of 'em!

    2. Re:Hardware Firewall by awkScooby · · Score: 4, Insightful
      A hardware firewall is good advice for a home user, but isn't as good a solution for a big company or university where Remote Desktop is used as a support tool. Sure, there will be corporate firewalls which protect desktops from the Internet, and maybe even from some other internal networks, but all it takes is one worm on someone's laptop to bypass the corporate firewall(s).

      I'm curious as to whether 3rd party software firewalls for windows are impacted by this or not. If not, then this hole (and others which are likely to follow) would provide a good justification for purchasing and deploying a 3rd party solution.

    3. Re:Hardware Firewall by HairyCanary · · Score: 2, Insightful

      It's worth remembering that just having a firewall does not protect you from everything. All it does is basic protection. If you allow RDP from any source through your firewall, then you are still vulnerable to any RDP exploit. The firewall is not protecting the traffic, only the TCP connection. If you really want to be protected, use a firewall for NAT only, and do not map any ports back to your inside box. Or unplug your box from the 'net altogether.

    4. Re:Hardware Firewall by X0563511 · · Score: 2, Informative

      Sounds like you need to break in and teach his ass a lesson.

      Start with changing his wallpaper to a large font message saying "YOUR A DUMBASS! YOU CALL THIS SECURITY? SCREW YOU !"

      Leave it alone for a few weeks, see if he tries to change his ways. If not, keep the torment going. Hidden VNCs are nice.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  2. Firewall too? by peawee03 · · Score: 4, Interesting

    Isn't a firewall supposed to block incoming connections unless specifically allowed? So how can this flaw with RD still affect it with the firewall turned on? TFA doesn't make much of a mention of this.

    --
    I wish I could write clever and witty sigs.
    1. Re:Firewall too? by minus_273 · · Score: 3, Informative

      windows firewall opens a port for rdesktop by default

      --
      The war with islam is a war on the beast
      The war on terror is a war for peace
    2. Re:Firewall too? by Henry+V+.009 · · Score: 2, Insightful

      Maybe you could explain how remote desktop could listen for incoming connections without an open port.

    3. Re:Firewall too? by kayen_telva · · Score: 2, Informative

      no, it does not
      well, kind of

      it opens a port for remote desktop IF you enable remote desktop.

      so, the question is, does this exploit affect xp sp2 if rdp has never been enabled ?

    4. Re:Firewall too? by Cruithne · · Score: 2, Informative

      When you turn RD on in windows, it automagically opens the required port (3389) with windows firewall for you.

  3. Honestly by ZakuSage · · Score: 2, Interesting

    Why would anyone turn Remote Desktop on unless they know specifically that they're going to use it? The very name of it makes it sound like it's a problem waiting to happen. Even though I use Linux, I made a note of making sure any Remote Desktop feature was disabled.

  4. Same old cat but just in boots by soman · · Score: 2, Insightful

    Who thought really that there was a miracle at Microsoft? Look at all the holes Win Xp, SP1, had, who isnt suprised seeing that MS didnt have major holes in SP2. I doubt they went to the root of the problems with security in regards with their products at MS.

  5. A patch for XP? by intmainvoid · · Score: 3, Funny

    That'd be longhorn then.

    --
    Drag n' Drop DVD Recommendations
  6. Re:I Never Use Remote Desktop by KiloByte · · Score: 3, Insightful

    Good advice.
    I'll go and scrap ssh, vnc and X then.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  7. Other implementations of RDP by morgan_greywolf · · Score: 5, Interesting

    Does this perhaps affect other implementations of RDP, like the one included with Gnome?

    --
    My blog
  8. Re:I Never Use Remote Desktop by ForumTroll · · Score: 2, Interesting

    Honestly some of the stuff they have turned on in the default install is just idiotic. I strongly suggest to anyone after installing windows to configure their services because half of the default services are ones they will never need/use. On Windows XP just go to the run box and type in "services.msc" or "msconfig" to configure all your services. IIRC correctly services can be changed the same way for Windows NT and Windows ME (WORST OS EVER).

    --
    "A Lisp programmer knows the value of everything, but the cost of nothing." - Alan Perlis
  9. Re:I Never Use Remote Desktop by Anonymous Coward · · Score: 2, Informative

    Remote Desktop is actually cool as hell. It is by far the best remote terminal service of any OS I've used.

    It is also just about the only legitimate reason to buy (or otherwise own) Windows XP over Windows 2000.

    And finally, it is also... guess what... turned off by default.

    Move along, nothing to see here...

  10. don't use the standard RDC Port by Anonymous Coward · · Score: 5, Informative

    I use Remote Desktop quite often, it can be very useful and it's more transparent and efficient than PcAnywhere.

    What i do is change the port that RDC uses, from the standard 3389 to a unique port. To do this, go to registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\TerminalServer\WinStations\RDP-Tcp\PortNumber
    change the decimal value, and reboot.

    1. Re:don't use the standard RDC Port by jmking1 · · Score: 2, Insightful

      This is security by obscurity. Any script kiddie with a port scanner is going to get around this naive hack.

    2. Re:don't use the standard RDC Port by lheal · · Score: 4, Insightful

      That's not even a first line of defense. OK, so you get past people scanning your whole /16 for open port 3389. But

      nmap -v -sV -O your.box.net
      will reveal that port running RDC on your.box.net the same as if it were on the default 3389.

      Keep in mind that unusual results draw more attention. You want to be invisible, or at least, to look like as many others as possible.

      --
      Raise your children as if you were teaching them to raise your grandchildren, because you are.
    3. Re:don't use the standard RDC Port by myrdred · · Score: 2, Informative

      While you are correct that a human hacker would still be able to find out what port RDC is running on, and then proceed exploit it (if there is an exploit), changing the port will still protect from automated worms that would just go for port 3389 and try to do their exploits.

    4. Re:don't use the standard RDC Port by tyler_larson · · Score: 4, Insightful
      That's not even a first line of defense.

      Actually, it's a wonderful first line of defense. In fact, it's a wonderful procedure to follow for all remote access (if possible) because of two main reasons:

      First, you're safe from worms. That's not an insignificant thing. The vast majority of all attacks (especially against Windows boxes) are perpetrated through some automated process--worms or other malware. These programs generally don't waste time doing in-depth scans of computers. If you're configured differently than the rest of the flock, you're not worth the time.

      Second, you're safe from casual portscans. My own servers are scanned at least 20 times a day, and often over a hundred. To save time, these scans only hit the "interesting" ports. If you don't look immediately interesting, you'll just be passed by.

      That whole bit about keeping the default setup to avoid extra attention is a bunch of BS. There's nothing terribly suspicious about running a service on a non-standard port. Furthermore, it doesn't matter how interesting or uninteresting a host appears. If you're configuration is exploitable, you'll be exploited when discovered. And if you look just like everyone else, well then everyone else will be exploited too.

      There is no strength in numbers, and there is no real strength in solitude. But if you can avoid detection, then you've avoided an attack. That's like hiding your valuables to avoid theft: It's not a reliable defense, but it's simple and works often enough to make for a reasonable precaution.

      --
      "With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
      RFC 1925
  11. Heh by mcc · · Score: 4, Funny
    The software maker's confirmation follows public disclosure of the vulnerability by a private security researcher who goes by the moniker "badpack3t."
    I'm sorry, I can't read past that point in the article. I'm laughing too hard.
    --
    Irritable, left-wing and possibly humorous bumper stickers and t-shirts
  12. An entirely new approach by AtariAmarok · · Score: 4, Funny

    It has been years now, and Microsoft's solution to plugging this has never worked. How about an entirely new approach?

    --
    Don't blame Durga. I voted for Centauri.
  13. Re:This is news-worthy because...? by lakcaj · · Score: 5, Funny


    You must be new here.

  14. Monty Python's Crashing Windows by PakProtector · · Score: 4, Funny

    Father: They told me I was daft to build Windows, but I built it anyway! It was full of flaws and suffered horrible exploits.

    Father: So I built another Windows! It was full of flaws and suffered horrible exploits.

    Father: So I built a third Windows. It was full of flaws and suffered horrible exploits and the Remote Desktop Feature could be hijacked causing it to crash.

    Father: So I built a Forth Windows! And it had DRM! And that's what you're going to be inheriting lad! The most bloated, useless feature, locked-out OS in these here lands!

    Son: But mothe-

    Father: I'm your father!

    Son: But father... I don't want any of that.

    Father: Well what do you want?!

    Son: I want... something... bug free... and... fre-...

    Father: Hey! Hey, now! They're be none of that!

    --

    Edward@Tomato - /home/Edward/ man woman
    man: no entry for woman in the manual.
    "Qua!?"

    1. Re:Monty Python's Crashing Windows by richie2000 · · Score: 4, Funny
      Couldn't you have him start off with the Free Software Song while the Father jumps in and stops him? :-D

      - One day lad, all this will be yours!
      - Wot, the curtains?
      - No, the Windows!

      --
      Money for nothing, pix for free
  15. Potentially serious... by ninja_assault_kitten · · Score: 2, Interesting

    I say medium at best... 1) Few corporate workstations have RDP enabled.
    2) Few corporate environments allow anonymous access to RDP (or Teminal Services).
    3) RDP isn't enabled on XPSP2 by default to begin with.
    4) There's no reason to believe this vul would allow remote code execution at this point.

  16. Re:Who the fuck... by Tezkah · · Score: 4, Interesting

    I've had too many problems with firewalls from ZoneAlarm, Kerio, etc, especially with them causing XP to hang on boot, skyrocketing memory use, etc, especially compared to the extremely basic windows firewall (I'm behind a router, I don't need much out of a firewall.)

    I work in a call center for a major US ISP. Do you know how often we get people calling in because Norton Internet Security is screwing up? I talked to at least two people personally just yesterday, one couldn't get his email because Norton would cause the connection to the server to close, another lady could open up PORT 80 TO BROWSE THE INTERNET. These people didn't change any settings on NIS, it just caused this on its own. I know that IE isn't secure, but that's a little extreme.

    The XP Firewall hasn't bothered me at all, not a memory hog for something as simple as a firewall, and hasn't caused me any problems, which is more than I can say about ZoneAlarm/Kerio.

    Tell me, what makes it not a real firewall? It blocks ports.

  17. DOS-attack by jiushao · · Score: 4, Informative
    No need to blow this out of proportion; from the article:

    In an advisory posted at SecurityProtocols.com, the researcher described the issue as a remote kernel denial-of-service flaw affecting XP SP2, with the default firewall turned on.

    I know Slashdot loves to hold Microsoft to golden standards, but a DOS-attack in a not overly important desktop daemon is hardly huge news. At the very least it happens to a lot of OS's a lot of the time.

  18. I do. by ichigo+2.0 · · Score: 2, Insightful

    And until someone ports iptables to windows or I upgrade to a hardware firewall, I'm going to go on using it. All the other firewalls available for windows are disgustingly bloated crippleware, and I'll rather take my chances with windows built-in firewall than have yet another program slow up my computer at startup and add another-annoying-systray-icon(TM).

    Remote Desktop? Meh.

  19. Bugs are good for jobs by msbsod · · Score: 2, Interesting

    Your IT staff loves security holes. It gives them an important task, they get paid and with every patch they install they know the software keeps them busy and employed for a long time. The PC users in your organization or company are also happy, because someone takes care of their PC's. While the PC is down you can even chat an hour with your colleague. And the executives are proud that they have everything under control. Everybody feels good.

  20. Good news, it does. by fbartho · · Score: 2, Informative

    Actually, it does have a port option. syntax: ipaddress:port just put a colon in, the same as when you access any webservices not running on port 80

    --
    Gravity Sucks
  21. Hmm by LooseChanj · · Score: 2, Interesting

    How exactly is this one problem a "batch"?

    --
    Mix the failings of Usenet with the shortcomings of the World Wide Web and the result is slashdot.
  22. That's why I connect to my 2k3 server first, by b00m3rang · · Score: 2, Funny

    then RDP into my desktop machine. If only one of the two systems is vulnerable to a particular attack, you still won't be able to get into both (or either) system.

  23. Re:Unrealistic... by Not_Wiggins · · Score: 2, Informative

    Blocking every port from 1024-65555 is unrealistic...
    In fact, if you use passive FTP to download anything from the internet, if you use MSN Messenger to transfer files or view webcams, if you transfer files by DCC via an IRC client... or use any other application which is not port range specific.
    This means that anytime you need to do such thing you have to manually open wide 1024-65535 ports and go back to normal mode after.

    You're forgetting that a lot of these firewalls have stateful connections... meaning, if you originate a connection out (such as with passive FTP... you're told which port to connect to), it automatically is allowed back in in response.

    And for services that require that you have ports open and back to the particular computer (active ftp, eMule, the webcam stuff, etc), a lot of the modern firewalls also include support for Port Triggering. Basically, if you specify the ports you'll want to use in the firewall, it can automatically forward that range of ports to whichever internal computer "triggers the port forwarding." This means, you can use eMule... then your roomate can use it after just by hitting the firewall trigger. An example of how this might look on a somewhat typical home firewall is here: D-Link firewall.

    And if that sounds complicated, it is no more complicated then having to tell the Windows firewall to allow those same connections into the computer.

    The home hardware firewall is very easy to use... and the parent stated, there's no reason for everyone to have one. Heck, even my 60 year-old mom uses one. 8)

    --
    Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
  24. Re:I Never Use Remote Desktop by VGPowerlord · · Score: 2, Interesting
    To address the services you explicitly mentioned, while I think Remote Registry being on by default is a Bad Item (tm), the other two have legitimate uses.

    Secondary Login is the Windows equivalent of the su command. I wouldn't recommend removing it. Not all users run with Administrator access. I'm posting this from my gaming machine, a Windows XP machine, as a Limited User.

    Server is part of the SMB networking system. While not useful in a corporate network, it is useful in a Peer to Peer network. As far as I can tell, disabling this is the same as disabling Samba's nmbd.

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  25. Re:Oh great, another Microsoft bug story by Klaus+Obermeyer · · Score: 2, Insightful

    "As a business owner, I understand ethics pretty thoroughly."

    And we all know the paragon of Ethics the business world is.

    Honestly though, you may very well be an ethical person, but your status as a businessman is hardly related to such.

    "However, most OSS zealots have no clue. Most OSS zealots are more than happy to side with the gov't when they think it's somehow at their advantage (anti-trust against MS), and slam the gov't for it's stupid laws when it's at their advatage to do so (DMCA, IP laws, etc.). It's completely arbitrary and generally pretty damned uninformed."

    So, in your world one must either agree with everything the government does or disagree with everything it does?

    Perhaps someone could believe in the enforcement of fair trade and the maintenance of a level playing field (one aspect of government) while still being in favor of curtailing the government's ability to intrude upon a person's privacy. You seem like an intelligent person though so I won't go on, suffice it to say that people's actions wouldn't seem as arbitrary if you took a minute to understand their motivations and beliefs.

  26. Have to remember that phrase by imsabbel · · Score: 3, Funny

    "private security researcher" sounds really that much more educated and important then a mere "hacker"...

    --
    HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
  27. Re:Who the fuck... by baadger · · Score: 2, Informative

    Running Windows 2000 myself and I use Kerio Personal Firewall 2.15, the last firewall in the 2.x series and the last "personal firewall" from Kerio I can tolerate.

    It has some major issues, don't use the remote access for one. But it's a decent suppliment to the Windows Firewall on open source project was planned to build an open source clone, unfortunately it seems to be going nowhere.

    Failing that, Sygate is a good choice.