RDP Flaw Exposes Windows to DOS Attacks

by Alex Woodie

Microsoft issued a security advisory Saturday about a newly discovered vulnerability in Remote Desktop Protocol (RDP) that could expose computers running Windows XP, Windows 2000, and Windows Server 2003 to denial of service (DOS) attacks. Microsoft is expected to fix the flaw with a patch--possibly with the next Patch Tuesday round coming on August 9, possibly sooner--but until then, the company has issued workarounds, including shutting down Windows services that rely on RDP.

RDP was introduced by Microsoft with Windows NT Server 4.0 in the late 1990s as a way to provide display and input capabilities from a client to a server running Windows applications, in much the same way that Citrix's Independent Computing Architecture (ICA) protocol enables clients to access applications running on a server. RDP is an integral component of Windows services that allow remote desktop sessions, including Terminal Services in Windows 2000 and Windows Server 2003, and Remote Desktop Sharing in Windows XP. While RDP is not enabled by default with Windows XP, it is turned on from start up on Windows XP Media Center Edition.

The DOS vulnerability, which security researcher Tim Ferris of Security Protocols says he first made Microsoft aware of in May, has to do with the way Windows interprets RDP requests. In its Security Advisory (904797) posted over the weekend, Microsoft says a maliciously formed RDP request could cause a computer to crash. "Our investigation has determined that this is limited to a denial of service, and therefore an attacker could not use this vulnerability to take complete control of a system," the advisory states.

At this point, there have been no publicly reported instances where the vulnerability has been used to launch a DOS attack, Microsoft says. However, some security firms have reported an increase in port scanning, which could indicate attackers are preparing to strike.

Microsoft says it is preparing a patch to fix the flaw. Whether that means it will wait until its next regularly scheduled round of patches, or if it will issue an out-of-cycle update, will likely depend on whether there are any wide scale DOS attacks that make use of this flaw. Ferris says on his Web site that Microsoft told him a patch would be issued in August.

Until a patch is issued, Microsoft recommends users stay safe by choosing one of several workarounds, including blocking port 3389 (the port used by RDP), or turning off Terminal Services or Remote Desktop, if they're not required. If those services are required (and I suspect there are tens or hundreds of thousands of Windows shops around the world that rely on this technology every day), the software giant recommends implementing a secure remote desktop connection using either Internet Protocol Security (IPsec) for encryption and authentication, or by implementing a virtual private network (VPN).