Microsoft: RDP Vulnerability Should Be Patched Immediately 126
wiredmikey writes "Microsoft is urging organizations to apply the sole critical update in this month's Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of Tuesday's release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon's AWS, need to patch as quickly as possible, said Qualys CTO Wolfgang Kandek. Besides the RDP bugs, this month's Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio."
VNC over SSH tunnels, public keys, no root login (Score:5, Insightful)
Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.
Any other ports?
It's tunnels. All the way down.
Re:VNC over SSH tunnels, public keys, no root logi (Score:5, Interesting)
Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.
Any other ports?
It's tunnels. All the way down.
Yeah, it sure is unfortunate that you can't do exactly the same thing with RDP. And MS should definitely think of adding IPSEC support one of these days (yes, I know). Of course people are probably less likely to bother, since unless you're French, RDP is fully encrypted (standard VNC only encrypts the password) and talking of passwords it allows them to be more than 8 characters long. You can even have a username too, if you use the right version and configure PAM (joke - there is no right version for that because it's a terrible idea security wise). It has also never had a bug where the client could tell the server it didn't support any of its authentication schemes and so the server simply let it connect without authentication.
In fact this is the first time I've heard of a potential serious vulnerability in Remote Desktop, so frankly this is not the area to be smug about.
Anyway this is a bit too MS positive for my liking, so I'll just add that TurboVNC + VirtualGL + VirtualBox = one fucking awesome free VDI implementation. Add SSH, OpenVPN or IPSEC to taste if you want (although VirtualGL handles SSH itself transparently if you want). Actually for remote admin purposes you only need the 1st part (unless it's a bunch of 3D workstations you're supporting). And possibly a new hobby to use to soak up all the time you used to waste waiting for the screen to refresh. I would also mention FreeNX, but a) I think it gets outperformed by the above and b) I am fucked if I'm setting that damned thing up again just to verify.
Oh yeah, one more neat trick - Virtualbox can run in headless mode on a box with no GUI (or with one, doesn't matter). In this mode it serves up the VM display using an extended version of RDP. The great thing is this doesn't just apply to Windows VMs - it can serve any OS it can run over RDP. Watch the look on your colleague's faces as you get them to fire up MSTSC and connect straight into Ubuntu. Or OS2, OSX, Win 3.1 etc.. etc.. You can even dump them into an EFI shell or the virtual BIOS. Literally minutes of laughs to be had. Oh yeah, you may need the non-open source extension pack for that. Also they're adding VNC in the next release. I have no fucking idea why.
And no, I have no idea why you're not allowed to use RDP encryption in France. I have no idea why they're not allowed to use deoderant either, come to think of it.
Re: (Score:1)
Yeah, it sure is unfortunate that you can't do exactly the same thing with RDP. ....
Actually you can:
- cygwin on the Windows box
- sshd service under cygwin
- connect via ssh into your windows box
- tunnel through the ssh into port 3389 on the same box
- open Terminal Services client, connect to localhost:XXXX
Works like a charm for me.
Re: (Score:1)
Re: (Score:1)
http://www.putty.org/ [putty.org]
The page is simple enough, I'll let you figure it out.
Note: I've never used it - yet.
Re: (Score:2)
http://www.putty.org/ [putty.org]
The page is simple enough, I'll let you figure it out.
Note: I've never used it - yet.
I'd double-check that URL. The official site is and has always been: http://www.chiark.greenend.org.uk/~sgtatham/putty/ [greenend.org.uk]
Re: (Score:2)
You are correct, my bad. Two other SSH servers for windows (that appear to be free) :
http://mobassh.mobatek.net/ [mobatek.net] - never heard of it
http://sshwindows.sourceforge.net/ [sourceforge.net] - Based on Cygwin but doesn't require a full blown cygwin install.
Re: (Score:2)
Re: (Score:2)
What people seem to be forgetting is that RDP alone is not really a "secure" communications channel for public networks. If you need high security, users should be VPNing into your LAN and then RDPing over that tunnel.
Out of the frying pan (Score:2)
Re: (Score:2)
If users/admins are incompetent enough to use passwords fit for luggage you can only guess how many unprotected Internet facing RDP servers will be ravaged within the next few weeks.
This is not a problem unique to Windows. At least once or twice a year I stumble upon machines where I can use SCOTT TIGER, toor or "secret" credentials.
Privilege escalation??? (Score:2)
Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced.
Re: (Score:2)
Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced.
Why complain? It's exactly the right thing for Microsoft to be doing.
Their big problem is the massive overhang of software that's not been properly designed for security (e.g., too much is still default-allow) and which people continue to want to use. The various Unix-based OSes have an advantage here, even if it is one of happenstance: Unix apps have been designed for use in privilege-separated environments, and have been for many decades. Microsoft got with the program later, and that's always much harder
Re: (Score:2)
Oh, I am not complaining. I am just surprised after years of Microsoft shills screaming "Linux has a security bug in libpng but Windows does not!" and similar nonsense.
Re: (Score:2)
...and here they are, Microsoft shills.
Re: (Score:2)
Obviously, in your mind, people who pay for, say, RedHat EL, must not exist. Heck, even I pay for two RHEL self-support subscriptions, it's well worth the price in a business.
Re: (Score:2)
So it took them a few decades to learn that a privilege escalation is only one step removed from a full intrusion. At least they did eventually learn.
Re: (Score:1)
Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced
No ! Don't let facts stop you from MS bashing ! What kind of a anti-ms troll are you? You need to undergo training buddy..
Step 1: Ignore all the thousands of security bugs that Linux developers introduce into codebase every year.
Step 2: Read more slashdot.
First real breach in Windows for a loong time (Score:2)
Microsoft has been counting IE security holes as Remote Execution a long time, which actually requires user intervention at the client-side.
I'm rather surprised that it took this long before somebody found a possible breach in the RDP implementation.
Who does RDP over the internet? (Score:2)
Questions and Observations (Score:2)
First, I've never once seen a best practices document that says "put RDP on the Internet." Maybe one exists, or maybe there are special cases somewhere that allow for it, but to me it just seems stupid to connect a Windows machine directly to the Internet, or port-forward directly to one from the edge device.
Second, has anyone heard of an exploit for this that involves a prior uncovered exploit - basically you get some malware that "phones home" to an SSH server and opens a reverse tunnel back to the local
Re: (Score:2)
The really sad thing is that there's ipsec in Windows and it's a trivial matter to create a policy that requires all connections to a particular service to be encrypted.
Re: (Score:1)
Re: (Score:2)
Well, with the low number of RDP holes over the years, statistically speaking, it's just as likely your VPN will have an exploit and get hacked.
Remember, it's turtles all the way down. All a hacker needs to find is the weakest link in the chain.
Re: (Score:3)
Re: (Score:1)
Safe, unless you are running bitcoin operations there.
Re:Not worrying (Score:4, Funny)
Re: (Score:3)
Re: (Score:2, Insightful)
Re:Not worrying (Score:5, Funny)
And having a vulnerability in a GUI (RDP) protocol is somehow worse than having vulnerabilities in SSH how exactly?
Any fool can use the GUI, but with SSH at least you can be sure that you are being hacked and exploited by a fellow geek.
Re: (Score:1)
Is this sarcastic or is this somehow really supposed to be reassuring?
You do know that they have point-and-click exploit kits, right? Ever heard of the term 'script kiddie'? Countless UNIX vulnerabilities have been packaged up into various graphical tools that non-experts can use to take advantage of vulnerable systems.
Re: (Score:3)
Is this sarcastic or is this somehow really supposed to be reassuring?
I was aiming for +5, Funny - with a faint smell of insight-fulness while masquerading as informative
I think, I did rather well?
Re: (Score:1)
Re: (Score:3, Funny)
Re: (Score:2)
Re:Not worrying (Score:5, Informative)
It could happen to Linux as well. But it doesn't.
Linux does have comparable remote-access protocols to RDP, all of which have had plenty of remote exploits in past. For example have a look at CERT advisories on SSH [google.com] and X11 [google.com]. Don't even get me started on VNC, which is often not updated automatically because it's an installable add-on instead of a system component.
Re: (Score:1)
I've had trouble with a VNC bug in the past. I was using a boot CD to copy Windows security updates so I wouldn't have to hook up the unsecured freshly installed Windows to the net, and suddenly the mouse started moving in a very mechanical fashion and it started to type (exactly one character per second) a command which was obviously intended to go into a console window (but fortunately ended up in an open text document). I pulled out the ethernet cable to get my mouse and keyboard back and killed the VNC
Re: (Score:1)
WTF does SSH vs. GUI have to do with security? If anything, once exploited SSH would be less secure, because its easier to inject commands into a command prompt than it is to automate a GUI.
Re: (Score:2)
WTF does SSH vs. GUI have to do with security? If anything, once exploited SSH would be less secure, because its easier to inject commands into a command prompt than it is to automate a GUI.
This: I've spent all damn day doing roughly the following procedure for each of my Windows clients:
* Connect into the client's WSUS server, enter username and password, get to desktop
* For Windows 2003, go to start, admin tools, WSUS
* Click the link for security updates and approve all, then click the link for important updates and approve all
* If they have multiple sites, repeat the first two steps for each site and then click the 'sync now' link
* Wait while the WSUS server(s) download the updates
*
Re: (Score:2)
Re: (Score:2, Funny)
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer
Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?
Re:Not worrying (Score:5, Insightful)
RDP [wikipedia.org] is a GUI, SSH (for instance) is not. From wiki:
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer
Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?
I would suspect that someone who has the skill set required to "hack a computer" would not be slowed down much in his mischievous activity by an austere text based prompt..
Re: (Score:2)
Although they might get gummed up by the new ribbon interface in the menus. "Dammit, where did that button go?"
Re: (Score:2)
Re: (Score:2)
No, that's not how it works. Instead, the place where the Start button used to be serves as a kind of honeypot - the attacker reflectively clicks there within the first few seconds after entering the system, and then spends the rest of the session trying to figure out how to get out of Metro. ~
Re: (Score:1, Troll)
Re: (Score:3, Informative)
Re: (Score:3)
Microsoft developed the original RDP technologies (before someone jumps in, not *all* RDP tech, just the ones involved in this timeline), and sold it off to Citrix, who dramatically improved it. MS then licensed it back from Citrix as an independent product and included it into Windows.
Re: (Score:1)
Wow. Just wow.
Please don't tell me you're in any way shape or form responsible for IT security.
I hope you understand that graphical exploit kits do exist that target UNIX systems. This commenter [slashdot.org] pointed it out.
An attacker who knows what he is doing will attack both Windows and UNIX systems. One that doesn't will just use a tool that a skilled person wrote to "point and click" his way into a box regardless of what OS it is running.
Re: (Score:3)
The vulnerability is in the protocol, not that it is a remote GUI protocol. The fact it is a gui protocol is moot in this case - the attack allows someone (using a terminal, a gui, whatever) to send crafted packets to the RDP service (note, service) on a Windows machine that may allow them to run arbitrary code remotely, in just the same way that someone (using a terminal, a gui, whatever - see the consistency here?) to send crafted packets to XYZ service (note service) on a Linux/BSD/whatever machine that
Re: (Score:3)
Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?
Only to the extent that GUIs are easier to use in general. They are not inherently more hackable than text prompts: text may give you a little extra obscurity, but that's not something that should be relied on in a security context.
Re: (Score:3)
No, I don't think it is easier. Why do you think windows and menus make things any more hackable?
I know: someone using WinRunner or AutoHotKey could do brute-force hacking on a GUI!
This is brilliant, I must immediately check IRC (or Experts-Exchange) to see if there are scripts available to do that.
Re: (Score:3)
Nothing stops you from using Windows Remote Management [microsoft.com] to do exactly the same thing with Windows.
Re: (Score:1)
Nothing stops you from using Windows Remote Management [microsoft.com] to do exactly the same thing with Windows.
Windows applications may support a subset of remote management, but unfortunately there is often the case that one needs a desktop application to fully configure an app. On Linux the default is text file configs modifiable via CLI, whereas Windows' applications _expect_ you to have a GUI. Until that expectation changes, RDP will be the most powerful remote management available on Windows.
Re: (Score:3)
Linux does have comparable remote-access protocols to RDP, all of which have had plenty of remote exploits in past. For example have a look at CERT advisories on SSH and X11. Don't even get me started on VNC, which is often not updated automatically because it's an installable add-on instead of a system component.
You didn't get a chance to look at years on those advisories, eh?
In year 2002 everything was vulnerable. Literally.
In year 2012, one would expect that such critical component like RDP would be audited 100 times by Microsoft. Seemingly not.
Re: (Score:2)
Anyone who cares about security, would use vnc over SSH, and properly configure SSH as well.
Re: (Score:2)
Anyone who cares about security, would use vnc over SSH, and properly configure SSH as well.
In case anyone's wondering, here's how you 'properly' configure SSH: apt-get install openssh-server
Done.
Re: (Score:2)
Many distros enable password login by default. If posible, this should be disabled as well.
Re:Not worrying (Score:4, Insightful)
I think all of those have happened in Linux at some stage, with the exception of privilege escalation exploits in an IDE.
It just happens less and the number of exploits is reduced due to rapid updates, on average much better admin and version fragmentation from different distros.
Re: (Score:2)
Re: (Score:2)
Windows has all the same security functions linux does and then some and can be made to be highly secure. It also has a command line that is more useful then the majority of inexperienced know. Admins who don't know how to/or care to maintain some of their systems exist on both camps. It is not the tool.
What you are saying is the same as saying impact wrenches
Re: (Score:2)
a system where many admins cannot write firewall rules and file ACLs is better then a system with a GUI for the same
Fortunately, "admins" who don't understand iptables or chmod (there are graphical aides anyway) are usually using something else, like Windows. I'm not saying Linux is safer, always and forever, I'm saying the way Linux is to be apprehended makes it more likely to be operated by skilled professionals. There are of course brilliant people Windows side, and both systems complexity is similar, but the thing is that the GUI layer makes it accessible to more people who think they understand the system since the
Re: (Score:2)
+1 Testify, Brother! Too many non-windows admins IMHO have little idea of the capabilities of Powershell
Re: (Score:2)
Re: (Score:2)
So what if the users are less competent, doesn't make the software any worse just cos its used by less competent people.
Re: (Score:1)
Re: (Score:2)
SSH has had several bugs - both design flaws and implementation flaws. Heck, even things like ntp servers have been exploited. Ssh is in no way "simple" (though it has been getting better at not having remote code execution flaws) and it can be misconfigured and used in very creative ways.
The "hate" here seems to be that it is actually possible to administer Windows conveniently using RDP and that there is something inherently wrong with that. Administering IT systems should not be black magic done in deep
Re: (Score:2)
Re: (Score:1)
How insightful. I'd never have imagined to see a comment like this on Slashdot, thanks for contributing to the discussion!
Re: (Score:2)
I'd never have imagined to see a comment like this on Slashdot
You must be kidding, or you must be new, or you must suffer from the Memento syndrom. There are plenty of posts like this one. They're usually from AC, and don't survive in the >-1 universe more than a couple of minutes. Or maybe you were looking after some karma? My post being an easy target, and you expected some recognition from your criticism, like the schoolboy proud to blame another student in front of the teacher, for something the teacher disapproves. Frankly, after a few hours of work, I look ba
Re: (Score:2)
Well, it's honestly not worth finding exploits for Linode or most other forms of Linux. (Not a flamebait.) Why bother trying to break into the computers of less than 1% of people.
(See, others can do it too!)
Can we get a "Macs don't get viruses!" guy to chime in? And maybe someone from Amiga or BSD?
None of this would be happening if we all ran OS/2 (Score:2)
The subject has become somewhat of a catchphrase in my org.
The hidden subtext is that "None of this" would include the Internet, our business, or my paycheck.
--Joe
Re: (Score:1)
Re: (Score:1)
I've had a time or two at work where a remote admin needed desktop access to see what was wrong and correct it. Granted, if it were the linux box next to it they could have just SSH'd into it.
Comment removed (Score:5, Insightful)
Re: (Score:2)
Cheap (free), secure, easy. Pick 2.
Re: (Score:2)
Then why did you pick only 0.5 for Windows?
Re: (Score:2)
Cheap, Secure, Easy, not Vaporware, pick any 2... ;-)
Capability based security systems could give cheap, secure, easy... but they are definitely vaporware at this point in time.
Re: (Score:2)
Linux and its applications only dominate ANYWHERE because they're cheap/free. Granted, they work well enough for the market they're aimed at, but there's a lot more to the IT world than the internet.
Re: (Score:2)
Linux and its applications only dominate ANYWHERE because they're cheap/free
False. Many of us use Linux / UNIX for workloads and tasks that Windows won't run at all, or that run significantly slower using Windows. Scalability, downtime prevention, and consistent operation is unparalleled in the mainframe / mini segment which is *nix territory -- not Windows.
We spend a lot of money annually to keep our Linux systems supported, both from an employee cost as well as support / upgrades from the vendor, so I can assure you we haven't made this choice because it's cheaper software-wise.
Re: (Score:2)
I think you've confirmed my argument - you could do all your stuff using Windows (except for software that has NO Windows equivalent) , but it would cost a truckload more $$$
Re: (Score:2)
Re:RDP is Worthless (Score:5, Insightful)
Who are all these admins doing stuff over RDP and why are they still employed? I've seen these installations myself but I simply cannot believe it. It's so dumb that it boggles the mind. Why would I need to login to a full display server to remotely administrate... anything? Oh, unless I'm on Windows where some applications cannot be used without the GUI. Lol. This is so pathetic. If you simply must use a GUI, just tunnel an X client over SSH and never worry about applying patches again- oh but wait, I forgot again that we're on Windows so you can't do that. Why anyone would rely on this backwards, insecure, cumbersome, and ultimately counter-productive bullshit is completely beyond me.
The dangerous people are not the admins that are using RDP. The dangerous people are the idiots that think that because they use an X client over SSH they don't have to worry about applying patches again.
So it does not surprise me that the fact that people rely on technologies that you don't understand is completely beyond you. Once you get real work experience, other than maintaining that FTP server for a non-profit or that Drupal server for Uncle Bob's tackle and bait shop, we can have this discussion again.
Re: (Score:2)
Re: (Score:1)
RDP provides more than just a GUI (Score:2)
Re: (Score:2)
just most people don't even know it exists or wtf to do with it
TFA is about admin management through RDP - not the lambda user around. Allowing a SSH (via a simple user) to connect to a server, and allow some text-based administration from the specialists is one thing, opening a GUI remote administration tool with menus and all that give hints on the howtos mess up with the machine is something else.
Re: (Score:2)
Re: (Score:2)
Somebody finally fix the root of the problem and hack Microsoft's server to push out a Linux iso...
But if someone does hack the Microsoft server (I'm sure they have only one) and install Linux, Windows will disappear and wannabe geeks will have to find another easy target for their wannabe bashing
Re: (Score:2)
Post with your real name and we'll talk to you, troll
Re: (Score:2)
Crack is a hell of a drug.