Microsoft: RDP Vulnerability Should Be Patched Immediately 126
wiredmikey writes "Microsoft is urging organizations to apply the sole critical update in this month's Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of Tuesday's release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon's AWS, need to patch as quickly as possible, said Qualys CTO Wolfgang Kandek. Besides the RDP bugs, this month's Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio."
VNC over SSH tunnels, public keys, no root login (Score:5, Insightful)
Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.
Any other ports?
It's tunnels. All the way down.
Re:Not worrying (Score:4, Insightful)
I think all of those have happened in Linux at some stage, with the exception of privilege escalation exploits in an IDE.
It just happens less and the number of exploits is reduced due to rapid updates, on average much better admin and version fragmentation from different distros.
Comment removed (Score:5, Insightful)
Re:Not worrying (Score:2, Insightful)
Re:Not worrying (Score:5, Insightful)
RDP [wikipedia.org] is a GUI, SSH (for instance) is not. From wiki:
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer
Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?
I would suspect that someone who has the skill set required to "hack a computer" would not be slowed down much in his mischievous activity by an austere text based prompt..
Re:RDP is Worthless (Score:5, Insightful)
Who are all these admins doing stuff over RDP and why are they still employed? I've seen these installations myself but I simply cannot believe it. It's so dumb that it boggles the mind. Why would I need to login to a full display server to remotely administrate... anything? Oh, unless I'm on Windows where some applications cannot be used without the GUI. Lol. This is so pathetic. If you simply must use a GUI, just tunnel an X client over SSH and never worry about applying patches again- oh but wait, I forgot again that we're on Windows so you can't do that. Why anyone would rely on this backwards, insecure, cumbersome, and ultimately counter-productive bullshit is completely beyond me.
The dangerous people are not the admins that are using RDP. The dangerous people are the idiots that think that because they use an X client over SSH they don't have to worry about applying patches again.
So it does not surprise me that the fact that people rely on technologies that you don't understand is completely beyond you. Once you get real work experience, other than maintaining that FTP server for a non-profit or that Drupal server for Uncle Bob's tackle and bait shop, we can have this discussion again.