Microsoft closed a critical vulnerability in its Remote Desktop protocol as part of its March Patch Tuesday release.
The remote code execution vulnerability in the Remote Desktop Protocol can be exploited to run arbitrary code on the targeted Windows system, Microsoft said in its Patch Tuesday advisory, dated March 13. All in all, Microsoft released six security bulletins fixing seven vulnerabilities in Microsoft Windows, DNS server, Expression Design and Visual Studio.
The RDP patch was the only bulletin rated as “critical” and Microsoft urged administrators to apply the fix immediately. Even though RDP is disabled by default on most Windows systems, the pool of potential victims is still significant because it is used by many businesses to remotely log in and manage machines. Often, an administrator may forget to turn off RDP after using it once for maintenance or troubleshooting.
The exploit, once developed, would succeed even without valid network credentials. This vulnerability is present in all versions of Windows, according to Microsoft. An attacker would be able to install programs, view, change or delete data, and create new accounts with full user rights.
“An unauthenticated remote code execution is pretty much as bad as it gets,” said Dave Marcus, director advanced research and threat intelligence at McAfee Labs.
Last fall, an Internet worm called Morto used RDP to attack Windows machines by brute-forcing passwords on Administrator accounts using a list of commonly used passwords. The worm highlighted that machines that can be accessed remotely are usually poorly secured, often with weak passwords or no VPN protection in place, said Kurt Baumgartner, senior security researcher at Kaspersky Lab.
Businesses that enabled network level authentication (NLA) with RDP are at significantly less risk, because of the additional authentication layer present. However, NLA is native only on Vista and later versions, including Windows 7, Windows Server 2008 and Windows Server 2008 R2. Administrators would need to install separate client software to make NLA work on XP systems.
Even though there are no exploits in the wild targeting the vulnerability, Microsoft anticipated one would be developed within the next 30 days.
Ben Greenbaum, a senior principal software engineer at Symantec’s Security Intelligence Group recommended that administrators check and verify that RDP is disabled on systems that don’t need remote access.
In other update news, Adobe released a security update for Cold Fusion 9.0.1 and earlier for Windows, Mac OS, and Unix, earlier in the day. The security vulnerability could be exploited to result in a denial of service attack. Instructions for applying the hotfix were included in a separate tech note.
The issue was flagged as “important,” meaning that if successfully exploited, attackers could potentially access confidential data or somehow compromise the computer’s processing resources. Even though Adobe has yet to see exploits in the wild targeting the flaw, the Product Security Incident Response Team ranked the patch as a “priority 2″ fix. The update should be installed “soon,” or within 30 days, according to Adobe