The security bulletins released by Microsoft as part of the March 2012 updates address a couple of vulnerabilities that affect the Remote Desktop Protocol (RDP).Even though the security holes have been reported privately and there is no known exploitation in the wild, customers are advised to immediately update their products because cybercriminals may try to rely on this timeframe to launch some malicious operations.
The more dangerous flaw is considered to be Critical-class and it could allow an attacker to remotely execute arbitrary code on a machine that’s running a non-standard configuration of the RDP.
Fortunately, the number of potentially affected systems is fairly low because the RDP is disabled by default, so that shouldn’t cause concern for system administrators who use Network Level Authentication (NLA).
“We understand that our customers need time to evaluate and test all bulletins before applying them. To provide for a bit of scheduling flexibility, we’re offering a one-click, no-reboot Fix it that enables Network-Level Authentication, an effective mitigation for this issue,” Angela Gunn of Trustworthy Computing wrote.
Until the update is applied, the activation of NLA would not mitigate the threat completely, but it would require the attacker to authenticate to the server before being able to exploit the vulnerability.
By enabling NLA, older clients, such as Windows XP or Windows Server 2003, will not be able to connect by default, but Microsoft provides a one-click solution for turning on the Credential Security Support Provider (CredSSP).
The CredSSP allows clients running older operating systems to initiate RDP connections to a server that has NLA enabled.
The category of servers that are not directly vulnerable to this issue include the ones providing the Terminal Services Gateway service and Windows Server 2008 R2 SP1 servers that come with the RemoteFX feature for Remote Desktops.
The one-click fixes for enabling NLA and CredSSP are available here.
Here's a video of Yunsun Wee explaining this month's security bulletins and the RDP issue: