The Microsoft Security Response Center late Saturday released a security advisory to offer pre-patch workarounds for a denial-of-service flaw in Windows XP Service Pack 2.
The companys advisory follows the public disclosure of the vulnerability in Remote Desktop Services, a feature that allows XP users to remotely control computers from another office, from home or while traveling.
However, Microsoft is adamant that the flaw is not as serious as some researchers are making it out to be.
“Our investigation has determined that this is limited to a denial of service, and therefore an attacker could not use this vulnerability to take complete control of a system,” the advisory read.
“We have not been made aware of attacks that try to use the reported vulnerability or of customer impact at this time, but we are aggressively investigating the public reports,” the advisory added.
The MSRCs early findings confirm that an attacker could send a specially crafted RDP (Remote Desktop Protocol) request to an affected system to cause a system crash. However, because services that use RDP are not enabled by default in the operating system, the damage is somewhat limited to users who enable Remote Desktop to create virtual sessions onto their desktop computers.
Remote Desktop is enabled by default on Windows XP Media Center Edition, putting those users at higher risk.
In addition to remote desktop sharing in Windows XP, Microsoft has also implemented the RDP protocol in Terminal Services in Windows 2000 and Windows Server 2003.
WORKAROUNDS
In the advisory, Microsoft recommends the following workarounds to help block known attack vectors:
- Block TCP port 3389 at the firewall. This port is used to initiate a connection with the affected component. Blocking it at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability.
On Windows XP and Windows Server 2003, the Windows Firewall can help protect individual machines. By default, the Windows Firewall does not allow connections to this port. Information on how to disable the Windows Firewall exception for Remote Desktop on these platforms can be found here.
- Disable Terminal Services or the Remote Desktop feature if they are not required. As a security best practice, if these services are no longer required on a system, users should consider disabling them. Disabling unused and unneeded services helps to reduce your exposure to security vulnerabilities. Information on disabling Remote Desktop via Group Policy can be found in this Knowledge Base article.
- Secure Remote Desktop Connections by using an IP Security policy. Specific configurations would be dependent upon the individual environment. For more information on IPSec, visit this Web site.
- Secure Remote Desktop Connections by employing a VPN. Again, configurations would be dependent upon the individual environment. See this Web site for more information about VPN connections.
Stephen Toulouse, a program manager in the MSRC, used his personal Weblog to clarify public reports that the RDP flaw could pose a code execution threat.
“Theres been a lot of talk about code execution and that there might be a widespread attack with this. Our analysis has determined this is a denial-of-service situation, which causes the computer to fault and restart,” Toulouse said, insisting it would be “exceedingly difficult” to spread some type of automated attack because the feature is not turned on by default.
Toulouse added that there has also “been a lot of talk that this could be used against fully updated firewalled SP2 systems. While thats true if you have enabled Remote Desktop, theres nothing wrong with the firewall in Windows XP SP2. If you enable Remote Desktop, it opens the port on the firewall so that you can remotely contact the computer,” Toulouse said.
“In this case there is no flaw in the firewall itself, unlike what some people are saying, its just that the port is open when you enable Remote Desktop so that you can communicate with the machine remotely,” he added.