Last week Microsoft released a security alert that warned of a remote Denial of Service (DoS) condition in the Remote Desktop Protocol (RDP). RDP is disabled by default on most Windows versions, with the exception of Media Center. However, many organizations do enable it to aid in remote support.
As of today, there is not a patch available for this vulnerability and complete details are not publicly known. Microsoft and other security experts have recommended that in order to mitigate the vulnerability, users should disable RDP and ensure that TCP Port 3389 is blocked at the firewall level. While this will definitely protect users from the vulnerability, it can significantly impact the business of those organizations that rely on RDP.
The researcher who discovered the vulnerability has provided some additional details about this issue to help confirm the analysis and assess the risk that it poses. Without going into complete details on this issue, we will explain the already public details and dispel some misconceptions reported by the media.
The first misconception was that there is a high likelihood that this vulnerability can be exploited to run arbitrary code on the target systems. This is completely false. The Microsoft analysis on this bug is, in this case, 100 correct and the potential result of a successful exploit is nothing more severe than a DoS.
Because there is no opportunity to run arbitrary code, this also removes the possibility for this flaw to be used in a worm attack. As far as attack scenarios go, this vulnerability can be utilized in a Denial of Service (DoS) attack or a blended attack where the attacker requires the ability to force a remote system to reboot. Causing a DoS on a target system would force either an automatic or manual reboot to be required, depending on the target system's configuration.
So what exactly is this vulnerability? This question is difficult to answer without discussing information that is not already public knowledge. A specific driver, RDPWD.SYS, is present on Windows 2000, Windows 2003, and Windows XP. All versions of Windows including Windows XP SP2 are vulnerable, but as mentioned above, only if the RDP service is enabled.
Related links: (Open in a new window.)
www.microsoft.com/technet/security/advisory/904797.mspx
www.eeye.com
Taken from Information Security Bulletin.