New Windows flaw to spark Conficker 2.0?
Microsoft is urging administrators to patch their machines after it discovered a vulnerability that could allow hackers to take complete control of PCs running Windows and potentially pave the way for the next Conficker worm or worse.
(Gummy Worms 9 image by Pam Junsay, CC2.0)
In the most recent Patch Tuesday bulletin, Microsoft identified a critical flaw affecting Remote Desktop Protocol (RDP), included in most versions of Windows — affected versions include Windows XP, Vista, 7, Server 2003 and Server 2008.
According to the security bulletin, the vulnerability works by "modifying the way that the Remote Desktop Protocol processes packets in memory and the way that the RDP service processes packets".
Depending on how the packets are crafted, this could allow a hacker to completely compromise the target or cause the RDP service to hang, resulting in a denial of service for legitimate users.
Although RDP is disabled by default on fresh installations of Windows, its popularity among users, especially in the enterprise space, makes it a significant and lucrative threat to hackers.
"Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days," Microsoft wrote in a blog post.
Penetration testing company, HackLabs, estimates that about 98 per cent of all Australian organisations run RDP internally, and 30 per cent have the RDP service exposed to the internet.
Fortunately, Microsoft has not yet discovered any working exploits of the hole in the wild and considers the work involved to create one to be non-trivial. This may give users time to patch their systems before an exploit is developed.
HackLabs director Chris Gatford said that a comparable vulnerability would be MS08-67, discovered in 2008, which affected Windows XP, 2000, Vista, Server 2003, Server 2008 and the then pre-beta version of Windows 7. Complete compromise of the computer running one of these operating systems was possible due to the way that Windows' Remote Procedure Call handled certain requests.
It took hackers only four days to release an exploit for MS08-67 and it went on to become a key vector of attack for several worms, including Conficker, which went on to arguably become one of top 10 viruses that changed the world. Microsoft later offered a US$250,000 reward for the arrest and conviction of Conficker's authors, but not before it hit RailCorp and ANZ Bank. It even appeared on hard drives sold by Aldi as recent as mid last year.
Workarounds for organisations that aren't yet ready to patch the remote desktop vulnerability do exist for administrators, involving the admins enabling Network Level Authentication (NLA) on Windows Vista and later platforms. Doing so means an attacker has to authenticate with the victim before it is possible to exploit RDP. However, enabling NLA will also render earlier versions of Windows, including XP and Server 2003, from being able to legitimately connect.
While XP users can use Microsoft's Credential Security Support Provider (CredSSP) to allow them to authenticate and continue to use RDP, no such support exists for Server 2003.