Microsoft: DoS Bug Not Limited To Windows XP
According to the Security Advisory posted Saturday, the bug in Windows Remote Desktop Service affects not just Windows XP SP2, as originally thought, but all the supported editions of Windows, including Windows 2000, Windows XP SP1, Windows XP Professional x64, Windows Server 2003, Windows Server 2003 SP1, and Windows Server x64.
Since May, Microsoft has had the advisory service in place to warn users of confirmed vulnerabilities before a patch is available, and if possible, provide advice on how to contain or prevent an exploit.
Microsoft downplayed the danger posed by the flaw.
"Our initial investigation has revealed that a denial of service vulnerability exists that could allow an attacker to send a specially crafted Remote Desktop Protocol (RDP) request to an affected system," said the alert. "Our investigation has determined that this is limited to a denial of service, and therefore an attacker could not use this vulnerability to take complete control of a system."
Alfred Huger, the vice president of engineering for Symantec&'s security response team, isn't so sure.
"It's not yet clear if this has a buffer overflow potential," said Huger. Oftentimes, a denial-of-service (DoS) vulnerability that lets an attack crash a system can be finessed into causing a buffer overflow, the typical method that hackers use to gain complete control over a PC and load their own malicious code onto the box.
"If I had to guess," said Huger, "I'd guess that that's how it will turn out."
In the advisory, Microsoft repeated that Remote Desktop Service is disabled by default in all versions of Windows except Windows Media Center, which is based on Windows XP.
"But it's enabled on a lot of corporate computers," countered Huger, "so IT staffs can access machines remotely to fix problems. Some of the more aggressive ISPs also enable it with their help software."
While Microsoft said that the bug was significant enough to justify an update to Windows, it stopped short of promising a patch before the next scheduled round of August 9.
In the meantime, it recommended that users disable Remote Desktop and/or block port 3389 at the firewall. That port is the one used by Remote Desktop.
Not coincidentally, SANS' Internet Storm Center detected several spikes in scanning for post 3389 starting July 6, with an even larger number of systems scanned on July 13. Hackers may be looking for vulnerable machines, said the Storm Center.
Microsoft, however, continues to say that no exploit has been seen in public spaces, although the original discoverer of the vulnerability claims to have a working exploit.
"It's a kernel vulnerability," said Huger, "so it will be difficult to exploit reliably. But he [the original discoverer] found the vulnerability with a commonly-used tool, so if he can find it, so can others.
"I don&'t think it will turn it into a large-scale worm, but then, some kernel vulnerabilities have ended up as just that, like the Witty worm."