Network News

X My Profile
View More Activity

Unpatched, Critical Flaw Found In Windows XP

Security researchers have uncovered a potentially serious security hole in Windows XP and Windows XP Professional that could allow skilled attackers to take over vulnerable computers, even PCs equipped with the latest Microsoft software patches and running the built-in Windows firewall.

The revelations, discussed on a security mailing list and detailed in a threat advisory by Danish security firm Secunia, come just two days after Microsoft released a batch of patches to fix other critical flaws in Windows software.

Microsoft could not be immediately reached for comment, but the expert who uncovered the flaw says he reported the problem to the company in early May and that Microsoft is working on a patch, which may be released in August.

The problem resides in the Windows "Remote Desktop," which lets users configure remote access to their computer. By default, the Microsoft firewall built into the Windows XP Service Pack 2 update is configured to deny connections from the Internet for remote desktop. But remote desktop shares the same vulnerable Microsoft programming code as "Remote Assistance" -- a service designed to allow Microsoft and other technicians to troubleshoot problems on Windows machines from afar. And the bad part is that the remote assistance program is automatically allowed to bypass the Windows firewall in PCs with Service Pack 2 installed.

Security experts warned, however, that there is little evidence that attackers are taking advantage of the vulnerability yet, and that exploiting the flaw may take some serious uber-hacking skills.

I will update with more information when I hear back from Microsoft, but one source told me that there is working code circulating on the Internet that allows attackers to use the flaw to gain control over vulnerable PCs.

If you use Windows XP and rely on Windows firewall to protect you online, it's probably a good idea to just disable the exceptions in the Windows firewall for "Remote Desktop" and "Remote Assistance." This workaround may not be effective, but it's worth a try.

To do this, click on "Start," then "Control Panel," and then the "Windows Firewall" icon. Then, in the Windows Firewall box, go to tab labeled "Exceptions" and make sure that the boxes next to "Remote Assistance" and "Remote Desktop" are unchecked.

By Brian Krebs  |  July 15, 2005; 10:40 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Security Updates For Apple, Firefox
Next: DHS: Exploits Out for Firefox Holes

Comments

I've kept "Remote Assistance" and "Remote Desktop" disabled for some time now. For most users these features should be kept disabled, as if one needs remote access one can always enable it as needed. I wish that Microsoft would uncheck these boxes (to disable the features) as its default option for them. That would help a lot of users who may be vulnerable and who aren't as knowledgeable about the existence of these features.

Posted by: Ann Hewitt Worthington | July 15, 2005 11:47 AM | Report abuse

This also assumes that a user has a direct Internet connection and is not behind a router or firewall. Therefore, this threat is more applicable to home users with a single computer rather than business users, as most businesses have a router in place with remote assistance / remote desktops port (3389) forwarding turned off.

Posted by: Nick Mancini | July 15, 2005 12:04 PM | Report abuse

So if I use Zone Alarm rather than the Windows firewall, am I safe?

Posted by: Nancy | July 15, 2005 12:55 PM | Report abuse

Nancy, using ZoneAlarm, or any firewall other than Windows Firewall, would be a good idea.

Posted by: TheMan | July 15, 2005 1:08 PM | Report abuse

Actually you click Start --> Control Panel -> Security Center (this was left out in the article) --> Firewall --> Exceptions, at least the way this is set up on my XP machine. I found Remote Desktop was already disabled, and I disabled remote assistance.

Thanks for the tip.

Posted by: Bob in Tokyo | July 15, 2005 6:00 PM | Report abuse

Brian: Thanks again for keeping us informed and as safe as possible.
Sincerely,
Mike and Susan Cather

Posted by: Mike Cather | July 15, 2005 7:22 PM | Report abuse

Great Idea to offer a half-assed workaround that may or may not work instead of offering readers a real solution.

How about, don't connect to the internet unless you're protected by a firewall? Oh, you don't have a firewall, let me explain what it is...here are some links to some free ones. Geez a high-schooler with minimal computing knowledge could write better advice than that.

Posted by: Chris | July 15, 2005 8:13 PM | Report abuse

I quote your article of July 18:

'To do this, click on "Start," then "Control Panel," and then the "Windows Firewall" icon. Then, in the Windows Firewall box, go to tab labeled "Exceptions" and make sure that the boxes next to "Remote Assistance" and "Remote Desktop" are unchecked! '

According the the text in the Windows Firewall section, if the above items are unchecked the exceptions are going to be ALLOWED.It seems to do just the contrary of what you intended to do.

Posted by: Clo Genti | July 18, 2005 2:01 PM | Report abuse

Remote assistance and remote desktop are just two of the many mechanisms Microsuck utilizes to spy on users of its products. Just because they say "no personal information is transferred" doesn't make it so. Define "no", "personal" and "information"; are yours the same as the EULAs? Don't think all these patches and updates are happy one way data transfers. "No updates available" means they just sucked information out of your machine.

Posted by: James | July 19, 2005 7:26 AM | Report abuse

Clo,

You're wrong. The way to ensure that those services are NOT allow through Windows Firewall is to ensure that there is no check mark in the box next to those services.

Check out this article from Microsoft
http://support.microsoft.com/kb/842242

or just Google search for: exceptions windows firewall check

the link you want will be the first one that shows up.

Posted by: Mike | July 19, 2005 12:14 PM | Report abuse

At least you tried to tell people about this major security hole. None of what I'm reading on here is going to help though. The root of the problem is in the Administrator account (safe mode with network) only. If you don't change these settings in safe mode (and SO many others), you're fighting a losing battle if someone wants to get in (it sets the default. All of the "solutions" here are way too simplistic. Better do some more research...oops, I forgot, no one has bothered to put a real fix or info about it on the net. I've spents hours of trial and error. You'll know if what you're doing is working if you check to see if the ports 135-139, 445, etc. are open. Help yourself.

Posted by: Cee | July 21, 2005 12:59 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company