Enterprise Software

RDP threat surfaces in Windows

A newly discovered flaw in the Remote Desktop Protocol (RDP) could potentially affect most versions of the Windows operating system, and two new vulnerabilities in Internet Explorer 6 have also emerged. Meanwhile, a cluster of known Oracle threats remain unpatched after almost two years. John McCormick has the details on these and other security threats in this edition of the IT Locksmith.

A new Windows vulnerability threat has surfaced in the Remote Desktop Protocol (RDP), for which Redmond is purportedly working on a patch, and two new Internet Explorer vulnerabilities have also emerged. Meanwhile, a slew of Oracle threats have reportedly been out there for months, and they continue to remain unpatched.

Details

A new Windows vulnerability has surfaced, which Microsoft has verified but not yet patched (as of July 22, 2005). A defect in RDP can result in a denial of service event. However, no data loss or compromise appears to be possible, so the flaw isn't critical.

RDP is a protocol that permits remote access to all of a computer's data and applications via a virtual connection. So, while RDP has the potential to allow great damage to a system, this particular vulnerability doesn't expose systems to any such takeover threat.

Nevertheless, the threat is serious enough that Microsoft has announced that the company is working on a patch for release with its regularly scheduled August security bulletin (currently the second Tuesday of the month). For the latest details on this threat, check out Microsoft Security Advisory 904797 and Secunia Advisory 16071.

Another new Windows threat has emerged that relates to the way Internet Explorer 6 displays JPEG images. One flaw is a remote code execution threat, and a second is a denial of service vulnerability. Both flaws are remotely exploitable, boundary condition error vulnerabilities, and they affect Internet Explorer 6 Service Pack 2 (and possibly earlier versions as well).

Finally, News.com reports that the popular Oracle database software contains a growing number of unpatched and serious vulnerabilities. According to one security researcher, Oracle has known about some of these flaws for two years and hasn't taken steps to patch them.

The researcher, Alex Kornbrust, is an employee of Red Database Security, which has published a laundry list of known but unpatched vulnerabilities in Oracle products. Kornbrust said he reported the vulnerabilities to Oracle about two years ago and recently warned the software maker that he would publish details about the flaws if the company didn't address them in its quarterly July patch release. He did just that on July 19.

According to an Oracle-specific security company, PeteFinnigan.com Limited, literally hundreds of known and unpatched Oracle vulnerabilities are out there. It can be very frustrating trying to determine which fixes Oracle has and hasn't made to its software—especially since the vendor seems to include a lot of bug fixes without bothering to mention them. If you're currently using workarounds to protect Oracle systems, check out this Red Database Security report for details on the latest patched—but not forgotten—bugs that Oracle actually fixed in its July security update.

Applicability

Windows XP Media Center Edition is the only operating system that enables RDP features by default. Therefore, this version is particularly vulnerable. However, many business environments use this platform and enable RDP.

Terminal Services in Windows 2000 and Windows Server 2003 also use RDP, as does the Remote Desktop Sharing feature in Windows XP. However, the system is only vulnerable if you enable these services.

The threat also affects Windows XP Home Edition. But this only applies when a Remote Assistance request is pending and the system is waiting for a response on the vulnerable port.

In addition, RDP is available in the following systems: Windows 2000 Service Pack 4, all versions of Windows XP (including SP2 and 64-bit editions), and all versions of Windows Server 2003 (including Itanium editions). Check to see if someone has enabled the protocol in these systems. Keep in mind that Microsoft doesn't support earlier Windows versions for this level of threat, but they may be vulnerable in some circumstances.

Risk level - High

The RDP threat is a denial of service threat, and the risk level is high. While there are no signs that anyone is actively exploiting the vulnerability yet, details of the threat are now available online, and future attacks are certainly possible. I've run across some online reports about increased RDP port scans in the past few days, but I was unable to verify them.

Mitigating factors

Again, only one Windows version enables RDP by default (Windows XP Media Center Edition). Since most versions don't have this feature enabled, it lessens the overall threat. In addition, closing the TCP port 3389, the port used by RDP, will also protect systems.

Fix

Of course, you need to apply the patch when it becomes available, which will likely be August. In the meantime, recommended workarounds include closing the aforementioned TCP port 3389 at the firewall, disabling Terminal Services and the Remote Desktop feature if not actually necessary, and using a secure VPN connection in situations where RDP is necessary.

Final word

For those who love to bash Microsoft about slow patching, I'll only point out that Oracle users have suffered much longer—dealing with only quarterly updates and unpatched holes in the database for years. Even worse, the company doesn't announce when it actually does fix something, leaving users completely in the dark about whether a vulnerability still exists after a security upgrade. Actually testing for the vulnerability or relying on one of the Oracle-specific security firms is the only real way to tell.

According to Red Database Security's list, the current champion in the unpatched vulnerability sweepstakes is a group of cross-site-scripting vulnerabilities, which have remained unpatched for more than 720 days. At least seven other threats also remain unpatched after more than 600 days. Keep an eye out for these threats: Red Database Security has vowed to publish exploits that are still out there more than 650 days after notifying Oracle, and it recently began doing so.

Of course, Red Database Security is also promoting its own Oracle security services, but I guess the company figures enough is enough, and I tend to agree with them. While I typically don't condone publishing vulnerability or exploit information before giving a vendor the opportunity to fix the problem, two years is rather excessive—especially for something as critical as a database.

And remember: Just because this reputable security firm discovered these Oracle holes and kept its mouth shut for a long time doesn't mean hackers haven't discovered some or all of the same holes and are quietly exploiting them to mine users' data vaults for fun and profit.


Also watch for …

  • If you recently experienced trouble accessing the Spread Firefox Web site, it might be because hackers, who wanted in on the browser's success, brought down the site. This problem was reportedly due to the Drupal content management software used to maintain the site and had nothing to do with Firefox or Mozilla software.
  • And that's a good thing because Firefox has yet more problems of its own, starting with the release of version 1.0.5 and a new version of the Thunderbird e-mail software, which patched vulnerabilities but also blocked some third-party extensions. Even if you downloaded 1.0.5 after the July 12 release date, it's time to run out and get Firefox and Thunderbird 1.0.6, along with Mozilla Suite 1.7.10.
    In fact, the bug fixes are coming so fast that, when I checked the site to verify the situation, one page touted Firefox release 1.0.6, but several security pages still listed 1.0.5 as the latest version. So I recommend beginning your update checks with the main site's home page. By the way, Red Hat, Fedora, and other vendors have also released updates to fix Firefox, Mozilla, and/or Thunderbird problems.
  • According to the LSS security team, there's a newly reported and highly critical buffer overrun vulnerability in NullSoft's Winamp 5.x media player—specifically, versions prior to Winamp 5.094. Exploitation can result in complete system compromise, including remote code execution.
  • Finally, Microsoft announced last week that it has dubbed the next version of its Windows operating system Windows Vista—formerly code-named Longhorn—which the software giant plans to release in beta sometime next month.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks