Microsoft disappoints space fans with worm hole that's a flaw, not a breakthrough
Weakness in RDP may give hackers instant access to root instead of Andromeda
Microsoft disappointed the space-enthusiast and science-fiction communities yesterday by announcing it had identified a critical worm hole that could be exploited within 30 days.
Unfortunately the worm hole Microsoft identified is a flaw in the remote-access functions of Windows, not the a hole in the fabric of space and time often used in Star Trek and other SF universes as a short-cut to interstellar travel.
It meant a weakness in its Remote Desktop Protocol (RDP)that could allow hackers to find and access a remote computer, load malicious code and run it, all without the user's permission.
Microsoft's blog post on the RDP flaw identified the weakness and offered a patch that could fix it.
Because the flaw is in a Windows service used frequently by corporate IT support apps and managers, Microsoft also offered workarounds for companies that need to test the patch before installing it.
There's no guarantee how long it would take a hacker to create an exploit that would take advantage of a hole providing root-level access to a stranger's PC, but the effort " will not be trivial – we would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days," according to Microsoft.
Hole bypasses security goes straight to the root of Windows
The flaw, identified in Microsoft documentation as CVE-2012-0002, is present in all versions of Windows would allow hackers to access and load code on a remote system by working on levels of the operating system lower than those that require network authentication.
RDP runs in kernel-mode with full Systems access permissions, meaning any exploit using RDP successfully would have not only the right to load and run code, but full root access and potentially control over the victim's machine as well.
The good news, according to Microsoft, is that the whole RDP protocol is disabled by default, so PCs that have not been configured to use any of a host of consumer-oriented remote-access, remote control or remote support tools may not be as vulnerable as those that do.
The MS12-020 security patch will fix the problem, Microsoft promises, though it may affect enough support- and remote-access apps that many corporate customers may want to test the patch before installation.
How to fix the problem, how the repair can break corporate apps
For home or individual users wanting to install the patch separately from the usual Tuesday Windows Update patch roundup, there is an automated Microsoft FixIt script that will take care of it.
For corporate users, Microsoft warns that the patch could break some existing support- or remote-access apps by installing an RDP "ghost listener" called RDP-TCP that could supersede the app's existing RDP client configurations.
It also installs a series of .dll, .exe and other files that could confuse apps that rely on RDP for low-level access to remote workstations.
Corporations or individuals who need to test the fix before installing it can reduce the risk from the vulnerability by enabling Network Level Authentication within RDP and configuring it to force remote users to authenticate before doing anything potentially damaging.
Workstations are at greater risk than servers running RDP; specifically, servers running Terminal Services Gateway or RemoteFX are less at risk because of the way they handle RDP connections. RemoteFX runs the vulnerable section of RDP under user-level permissions rather than root; Terminal Services strips away the SSL encryption from an RDP request and then makes the connection using a different port than that assumed for normal RDP connections.
None of the workarounds, patches, updates or technical bulletins Microsoft supplied indicate either the exploit or the countermeasures will have any effect at all on the presence or absence of wormholes capable of supporting interstellar travel, making them just as important but far less interesting than they would be otherwise.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.