SOFTWARE TINKERER Microsoft has revealed details of a security flaw that can let attackers potentially bypass firewalls and allow remote code execution on a swathe of Windows operating systems from Windows XP SP3 up to Windows 7.
The bug, which is patched in the latest March Patch Tuesday release, centres on Microsoft's Windows implementation of the Remote Desktop Protocol (RDP). Referred to by Microsoft as CVE-2012-002, the flaw is a rated as a "critical" remote code execution vulnerability affecting all versions of Windows.
Highlighting the severity of the flaw, Microsoft said users are strongly encouraged to make a "special priority of applying this particular update" or harden PC environments until the update can be applied.
"This issue is potentially reachable over the network by an attacker before authentication is required. RDP is commonly allowed through firewalls due to its utility. The service runs in kernel-mode as SYSTEM by default on nearly all platforms," Microsoft's Technet blog warned.
"The good news is that the Remote Desktop Protocol is disabled by default, so a majority of workstations are unaffected by this issue. However, we highly encourage you to apply the update right away on any systems where you have enabled Remote Desktop."
Despite the nastiness of the bug, Microsoft pointed out that CVE-2012-0002 was privately reported and that there have been no known attacks in the wild. Although developing a working exploit is "not trivial", Microsoft predicted that - due to the attractiveness of this vulnerability to attackers - it anticipates an exploit for code execution will be developed in the next 30 days.
For environments where it is not possible to roll out the patch immediately Microsoft advises that sysadmins can "substantially reduce the risk" on Windows Vista and later systems where RDP is enabled by enabling Remote Desktop's Network Level Authentication (NLA). This means that authentication is required before a remote desktop session is established to the remote desktop server. Though the vulnerable code is still present and can potentially be exploited for code execution, the attacker will first have to get through this authentication layer. µ
Someone could be in for a NASty surpise
An assault course on the senses
Boasting Bionic boosting