Please install MS05-041 if you are running Remote Desktop exposed to the Internet

[Bill Sanderson]

http://www.microsoft.com/technet/security/bulletin/MS05-041.mspx

Yesterday was the day Microsoft released security patches for August.

Among them was this patch which involves a Denial of Service (DOS) exploit
against Remote Desktop.

Previous to this release, the details of the vulnerability were not public.
They are now, as I understand it.

Several of the security patches for this month may be much more significant
than this one since they involve remote code execution, but if you are
running RDP, youi should get this one in place to avoid future problems, I
believe.

--

 

[anderscandell]

A little warning though. I installed the patch on my Windows 2003 SP1
server, and after a reboot the remote desktop didn't work anymore.
After uninstalling the patch, it was fine again.
I have changed the port for the remote desktop listener, which might
have something to do with this but you would think that MS have tested
this before releasing the patch.

 

[Guest]

I've experienced the same problem after installing MS05-041 on a domain
controller. A Netmon comparison with an unpatched server shows that the
patched server is sending a packet with a TCP reset flag at the point where
the connection would otherwise begin normally.

Since the RDP protocol is almost entirely undocumented our only solution to
this problem seems to be to remove the patch and begin deploying IPSEC to
avoid the potential DOS; does anyone have any solution to this problem or
know whether the patch is to be recalled? What would be *extremely* useful
would be some sort of debugging flag for TS connections.

Thanks-

James Ervin
Chapel Hill, NC

 

[anderscandell]

For the record, my server is also a domain controller.

/Anders

James Ervin skrev:

 

[Guest]

Bill-

I thought I would pass along this tip--we rebooted one of the affected
domain controllers again, and the problem resolved itself. This leads me to
believe that it might be possible to resolve the problem by deleting the
default RDP-Tcp connection object and re-creating it in the Terminal Services
Configuration MMC, but we haven't tested to verify this--also, that process
might require a reboot anyway, in which case recreating the connection would
be redundant.

Our DCs are Windows 2003 Enterprise Edition, SP1. The problem does not apear
to be related to encryption; we can now switch between the
"client-compatible" and "high" modes without difficulty.

It would still be nice to have this addressed in the patch documentation if
it is a necessary step for domain controllers.

James Ervin
Chapel Hill, NC