Windows Flaw Reaches Beyond XP

A security flaw that could let an attacker remotely crash computers running Windows exists in several versions of the operating system, not just Windows XP.

Windows 2000, Windows XP and Windows Server 2003 are vulnerable to a denial-of-service attack that exploits a problem in the Remote Desktop Protocol, Microsoft said in an advisory on Saturday.

RDP is a protocol that enables remote access to Windows systems. Because of a flaw in the way Windows handles remote desktop requests, an attacker could crash a PC by sending a malformed remote request, Microsoft said.

The advisory was released after the security researcher who discovered the flaw last week flagged Windows XP as vulnerable. Microsoft confirmed the issue on Friday and published the advisory over the weekend.

<!-- STORY TEASE --><!-- END STORY TEASE -->Microsoft said it is working on a patch, but noted that it is not aware of any attacks that try to exploit the vulnerability. However, security experts at The SANS Institute on Saturday did notice an increase in port scanning activity on the network port used by RDP. That could be a sign that hackers are trying to look for targets.

While most Windows versions ship with RDP services disabled, Remote Desktop is turned on out-of-the-box in Windows XP Media Center Edition. Only computers using services that have RDP enabled are vulnerable, Microsoft said in its advisory.

Services with RDP include Terminal Services in Windows 2000 and Windows Server 2003, and Remote Desktop Sharing and Remote Assistance in Windows XP.

-----

<!--StartFragment -->Remote Desktop is enabled by default on Windows XP Media Center Edition, putting those users at higher risk.
In addition to remote desktop sharing in Windows XP, Microsoft has also implemented the RDP protocol in Terminal Services in Windows 2000 and Windows Server 2003.

WORKAROUNDS

In the advisory, Microsoft recommends the following workarounds to help block known attack vectors:

- Block TCP port 3389 at the firewall. This port is used to initiate a connection with the affected component. Blocking it at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. On Windows XP and Windows Server 2003, the Windows Firewall can help protect individual machines. By default, the Windows Firewall does not allow connections to this port. Information on how to disable the Windows Firewall exception for Remote Desktop on these platforms can be found here.


- Disable Terminal Services or the Remote Desktop feature if they are not required. As a security best practice, if these services are no longer required on a system, users should consider disabling them. Disabling unused and unneeded services helps to reduce your exposure to security vulnerabilities. Information on disabling Remote Desktop via Group Policy can be found in this Knowledge Base article.

- Secure Remote Desktop Connections by using an IP Security policy. Specific configurations would be dependent upon the individual environment. For more information on IPSec, visit this Web site.

- Secure Remote Desktop Connections by employing a VPN. Again, configurations would be dependent upon the individual environment. See this Web site for more information about VPN connections.

Sources:

http://news.zdnet.com/2100-1009_22-5793344.html

http://www.eweek.com/article2/0,1895,1838174,00.asp