Vulnerability in Microsoft Remote Desktop
Update 3/16/2012: Added information about the pending RDP block at the University border.
On March 13, 2012, Microsoft released Advisory 2671387 which stated that Microsoft has fixed a vulnerability in Microsoft Remote Desktop Protocol (RDP) that if exploited could grant complete control to an attacker.
On a computer running Microsoft Remote Desktop in a default configuration, an attacker without credentials can send a specially crafted sequence of data to the computer and gain complete control of the vulnerable computer.
This affects all supported versions of Microsoft Windows.
By default, RDP uses TCP port 3389. This port is open at the University and is continually scanned by attackers. Normally the attackers are attempting to guess a valid username and password on the machine. While the University Information Security Office monitors and blocks excessive RDP connection attempts, we have not observed an increase in traffic as of March 16, 2012.
As of March 16, 2012, a bounty of almost $1500 USD has been offered for a working exploit. While the UISO believes attackers race to develop exploits after every vulnerability, this vulnerability is special because a working exploit could turn into a self spreading worm that infects all unprotected Windows systems running Remote Desktop.
Microsoft Security Bulletin MS12-020 included a patch that should be applied as soon as possible. Microsoft expects working exploits to be in use within weeks.
Note: UISO has no reason to believe that systems would continue to be affected AFTER applying the patch.
For more on updating your Windows installation, visit: What is Windows Update, and how do I use it to update my Windows installation?
Update 3/16/2012: While Remote Desktop default port TCP 3389 is currently unrestricted at the University, the UISO is prepared to block thi