Microsoft Researchers Reveal Remote Encryption-Bypassing 'Evil Butler' Exploit

A security researcher demonstrated a way to bypass the full disk encryption in Windows BitLocker last November -- but that attack required physical access. Inserting the PC into a network with a counterfeit domain controller with incorrect time settings "allowed the attacker to poison the credentials cache and set a new password on the targeted device." An anonymous Slashdot reader writes: Microsoft fixed this vulnerability, and then fixed it again when two researchers pointed out in February 2016 that the fix was incomplete. At this year's Black Hat security conference, two Microsoft researchers have discovered a way to carry out the Evil Maid attack from a remote location, even over the Internet.

The two researchers say that an attacker can compromise a PC, configure it to work as a rogue domain controller, and then use Remote Desktop Protocol to access computers (that have open RDP connections) on the same network and carry out the attack from a distance. This particular attack, nicknamed a Remote Evil Butler, can be extremely attractive and valuable for cyber-espionage groups.
The article points out that Microsoft's February fix prevents this exploit, adding "The reason the two Microsoft researchers disclosed this variation of the original attack is to make companies understand the need to keep their systems up to date at all times."

Why is remote desktop on by default?

[ArtemaOne]

There are so many settings that I turn off on a new Windows installation. I really don't see why every back or front door has to be left open on a fresh install, upgrade, or update.

Re:Why is remote desktop on by default?

[akozakie]

That's one thing. The other one is:

"The reason the two Microsoft researchers disclosed this variation of the original attack is to make companies understand the need to keep their systems up to date at all times."

At least one company I know blocked all updates for two reasons entirely under MS control. 1: Win10 is not cleared for use yet for many reasons, updates pushed GWX. 2: High priority updates containing nothing but telemetry. Not enough resources to test & review everything. That's one company looking for other options. Probable outcome - Win cleared for VM use only, under a different host.

MS's feet are like a sieve from all the self-shooting. Future is not looking all that bright. Surprisingly, it's not due to buggy software - they're doing their best ever in that category. That's the price of allowing marketing&sales to touch the security feed.

Re:Which KB fixes this?

[Mister+Transistor]

Did a little more research; MS-16-014 addresses the fix, and the KB's resulting from it are KB3126587 and KB3126593.

However, oddly, they are not included in the "SP2" roll-up released on 5/12/2016. Weird. I tried to find out if those two KB's were replaced by something newer and I haven't been able to turn up anything.

I did find a couple of articles about the KB's causing some errors and failing to install on some systems, usually caused by a lack of an earlier update that they apparently are dependent upon.