Microsoft urges firms to focus on severe RDP flaw

Microsoft issued six patches on Tuesday, but in particular, it focused on warning firms to expedite applying a fix for a critical vulnerability that will likely be exploited quickly by online criminals.

The vulnerability, fixed during Microsoft's regular Patch Tuesday update, could allow an attacker the ability to remotely run code by exploiting the RDP (Remote Desktop Protocol), a Microsoft

technology for remotely accessing Windows computers. The issue affects all versions of Windows and, because it's common practice to allow RDP traffic through the firewall, could allow widespread attack.

"Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days," company researchers wrote on the Microsoft Security Research & Defense blog, adding that "developing a working exploit will not be trivial -- we would be surprised to see one developed in the next few days."

Remote access software, such as RDP, has become a focus of significant security scrutiny following the source code theft of another such program, Symantec's pcAnywhere, earlier this year. Symantec had warned its users to not allow Internet traffic to directly communicate with the program, directing users to take extra steps to prevent attacks from reaching the software.

As Microsoft points out, however, many users do allow Internet traffic to their remote-access installations. An estimated 140,000 computers running pcAnywhere could be directly contacted from the Internet, according to scans run earlier this year. The Remote Desktop Protocol is orders of magnitude more popular: There could be as many as 250 million systems with an open RDP port, according to NMap data.

In its blog post, Microsoft urged users and administrators to apply the patch. In cases where that was not possible, computers running Windows Vista and later can run Network Level Authentication to require that authentication be established before an outside computer can connect to a remote server, mitigating much of the risk.

The software giant pointed out that RDP is not turned on by default, so the majority of Windows systems should not be vulnerable. However, that still leaves millions of systems vulnerable, a point of which Microsoft seems aware.

"We urge you to promptly apply this security update," the company concludes in its post. "We also encourage you to consider how you might harden your environment against unauthenticated, attacker-initiated RDP connections."

The company has worked with its Microsoft Active Protections Program partners to help them push out additional defenses to their customers.