RDP Proof-of-Concept Exploit Triggers Blue Screen of Death

mask.of.sanity writes "A working proof of concept has been developed for a dangerous vulnerability in Microsoft's Remote Desktop Protocol (RDP). The hole stands out because many organizations use RDP to work from home or access cloud computing services. Only days after a patch was released, a bounty was offered for devising an exploit, and later a working proof of concept emerged. Chinese researchers were the first to reveal it, and security professionals have found it causes a blue screen of death in Microsoft Windows XP and Windows Server 2003 machines. Many organizations won't apply the patch and many suspect researchers are only days away from weaponizing the code."

Re:How important is this?

[remus.cursaru]

Windows 2003 crashed remotely because you didn't applied a 3 days old patch doesn't seem scary to you? Just wait for the bean counters on the second floor to stone you to death because their stone-age old ERP crap is down. Or the DNS/DHCP server. Or the hole freaking AD.

Who uses RDP without a VPN?

[Kenja]

I have never seen RDP open to the world. If you do that, you're asking for issues regardless of any exploit.

Re:Who uses RDP without a VPN?

[parlancex]

Then you don't have much exposure to the MANY SMB's that are setup like this. I even know of some otherwise competent consultants that do this. Stating that the traffic is secure.

I've closed this hole many times at new clients.

Ah yes, another incompetent *nix admin with his head in the sand. Since this was posted as AC I know you're probably trolling but I'll bite. Since the RDP changes starting with Windows Vista and Server 2008 (pre-R2, even) the RDP connection handshake resembles that of TLS, SSH, and other VPN protocols, utilizing RSA, certificate based identity verification, and AES (with keys transmitted during the RSA encrypted during setup).

If modern RDP is insecure, I have really bad news for SSH, e-commerce and the entire fucking world that uses TLS.

Re:M$ Windoesn't

[DigiShaman]

Insanely stupid

Aside from this nasty RDP bug, how exactly is this "insanely stupid" any more so than leaving a web server connected to the Internet? I've seen plenty of web servers get rooted and turned into zombie spewing infected machines throwing spam and hosting fake AV advertisements.

For over ten years now, a major exploit of RDP is a first that I can recall. And BTW, the RDP connection is encrypted. With VPN, encryption is iffy at best and may not be enabled by default depending on the client you use.

Just because RDP provides a GUI remote desktop and looks more exposed visually doesn't mean it technically is any less secure than other protocols used.

Re:How important is this?

[NatasRevol]

You'd be wrong. Dead wrong.

MS shops do this.
Shops that avoid MS at all costs and give control of it to finance/ms person, who have no clue about security do this.
Small businesses that just don't know better do this.

Re:Is this the hole that was patched one Tuesday?

[Abalamahalamatandra]

I have employees who are allowed to come in to the VPN with their home (non-corporate-managed) machines, and no restrictions on their network traffic. I'm working on changing that but it hasn't happened as yet. Additionally, I have way too much experience with malware running on Windows machines while their installed antivirus software is happily telling anyone who asks there's nothing wrong at all.

You need to stop thinking about internal risks in terms of deliberate actions by malicious employees (which is still a risk) and start thinking more in terms of the malware they're almost inevitably running and what actions it can take without their knowledge. This is a highly wormable exploit - think SQL Slammer. I would suggest you consider your soft center as well as your hard crunchy outside for this one.