Microsoft: Critical worm hole could be exploited within 30 days

Filed Under: Featured, Malware, Microsoft, Vulnerability

Listen up, this one is serious.

There is a critical vulnerability in many versions of Windows, which could be exploited to spread a worm automatically between vulnerable computers.

Microsoft has issued a patch, urging owners of vulnerable PCs to fix their computers as a matter of urgency.

Remote desktop settings

The vulnerability lies in a part of Windows called the Remote Desktop Protocol (RDP) and could allow malicious hackers to run code - without the users' permission. That's obviously much more serious than a vulnerability which relies upon a user to click on an attachment, or be tricked into running a piece of code.

The security hole affects Windows XP and all versions of Windows released since, including the developer preview of Windows 8.

The nature of the vulnerability, and the fact that it impacts such a wide range of Windows computers, makes it very attractive to attackers.

In a blog post, Microsoft predicted that an exploit would be created for the vulnerability within 30 days:

"Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days."

Windows logo with wormIf Microsoft is prepared to say something like that, you really should sit up and pay attention.

The good news is that by default, RDP is not enabled on Windows, and if RDP is disabled you're not at risk. The bad news is that RDP has been frequently enabled by IT teams inside enterprises.

Microsoft is strongly encouraging Windows users to apply the MS12-020 security patch, but if your company cannot roll it out in a timely fashion has published information about other methods of reducing the chances of a threat impacting your organisation.

Image of worm courtesy of Shutterstock.

, , , , ,

You might like

44 Responses to Microsoft: Critical worm hole could be exploited within 30 days

  1. Michelinda · 863 days ago

    Nowhere on my Windows 7 64 bit system is there a window like above. I cannot find any setting to remove permission for removing rights to Remote Access. I can find Remote Assistance - and if this IS the same thing - it was enabled by default on my system. But somehow "access" and "assistance" don't seem the same. One would imply Windows could help me (tech), while the other is accessing my computer by an outsider? Such as myself when at work accessing my home computer? How does Windows 7 allow such access - and where did they hide it at?

    • Ernest · 863 days ago

      O Win7 The window can be found in control panel, system and security, then under the system heading and remote access.

    • phill · 863 days ago

      its in system properties click on remote setting un check the allow remote assistance check box and then apply

    • Jean · 863 days ago

      Right click on the "my computer" icon on your desktop, then properties, and remote settings.

      • Ann · 863 days ago

        I cannot find system properties on xp:(

        • Tom · 862 days ago

          Similar for XP to other instructions:

          Right click My Computer icon on desktop, click Properties. This brings up the System Properties window.

          If you don't have that icon on desktop, same can be found by Start+E to open Windows Explorer, then you can right-click the My Computer icon in the left folder pane, and click Properties.

    • jhand · 863 days ago

      For Windows 7, find Control Panel, choose System and Settings, and under System you should see a link about Allow Remote Access. Clicking that link takes me to the screen shown

    • Remote Desktop is not available for Home Premium and lower. As you said, only Remote Assistance is available.

    • blake · 862 days ago

      Hi - FYI in most versions of windows (if not all) the quickest way into system properties is the keyboard shortcut "Windows Key + Pause/Break"

    • Breck Stewart · 861 days ago

      In Windows 7 64 bits, in the control panel look at System and Security, then System, then option Remote settings to the left and you'll find the option to activate or deactivate The Remote Assistance thing. Thank God I checked cause mine was on even though I never did it so my guess is that many people also have it enabled without knowing.

  2. Zoe · 863 days ago

    Theres nothing on the microsoft website so I don't know where this warning has been issued............. a con maybe?

  3. Theresa Duplessis · 863 days ago

    Are you saying we should set our systems box up to copy the box above?

    • Jon Fukumoto · 863 days ago

      If you look closely, those are the default settings. You can get to this screen through the Control Panel. To get to the screenshot shown above do the following: Start--->Control Panel. Double click on System, then click on the Remote tab. Uncheck the box and click on "Don't Allow Connections To This Computer" then click on OK. By doing this, you'll be protected.

  4. A. Waggoner · 863 days ago

    I just find mine by going to Control Panel > System and then on the upper left I select "Remote Settings".

    Hope that helps!

    Or if you use the category view, System and Security > System

  5. Johnny Cunningham · 863 days ago

    easier than that is to go to your side bar,go to services, scroll down and find the remote procedures, you can take it from there.

  6. Sheena P · 863 days ago

    This is very true, someone accessed my laptop the other day. I heard them say something like oh shoot. smh....

  7. There's already an exploit out (took a few hours, not 30 days) which binds cmd.exe to port 4444 on the remote box. This has worm written all over it.

  8. craig · 863 days ago

    Either
    1. Turn off Remote Desktop completely
    2. Apply the patch that's listed in this article (find your Windows version): http://technet.microsoft.com/en-us/security/bulle...
    3. Turn on Network Level Authentication as shown above..

  9. Jon Fukumoto · 863 days ago

    Looking at the screenshots, those are the default settings. Under all versions of Windows, Remote Assistance is on by default. Simply unchecking the box and selecting "Don't Allow Connections To this computer" will protect you. Remote Desktop is off by default, and should be left off, unless needed. Nonetheless, this vulnerability should be taken seriously. I urge all users of Windows to pay attention to this.

    • Lisa K · 863 days ago

      upon doing this, would it effect my connections with my online college classes?

  10. Bill · 863 days ago

    People People... its pretty easy. Click on the link that is titled MS 12-020 020 and then select your OS. From there just follow the links. If you need more help... let me know.

    • Susie · 862 days ago

      what with the string of letters and numbers under computer info? i have windows 7, service pack 11, and a 64-bit system..

    • Susie · 862 days ago

      what's with the string of letters and numbers under the operating system? such as (KB2667402)?

  11. Bill · 863 days ago

    People............... click on the link MS 12-020. Then select your OS. It takes but a minute or two to process the update.

  12. Bill · 863 days ago

    People... go to the link MS 12-020 and click on your OS.

  13. The remote desktop options remote desktop is only included in the Professional, Business, or Ultimate versions of Windows. Home editions do not have remote desktop.
    http://www.howtogeek.com/howto/windows-vista/turn...

    They only have Remote Assistance, which is enabled by default, as seen in the following page
    http://en.kioskea.net/faq/14521-windows-7-disable...

  14. Wanted to add that Home Premium users will only see the first box (and NOT the remote desktop),

  15. Susie · 862 days ago

    so, wait, is this going to affect general users (like home computers) or more like organizations?

  16. kenedy123 · 862 days ago

    Microsoft has issued a patch, urging owners of vulnerable PCs to fix their computers as a matter of urgency.

  17. liz · 862 days ago

    should i be worried about my personal computer and download the patch??

    • Tyw7 · 862 days ago

      Just run Windows Update and install everything and you'll be fine.

    • me2 · 862 days ago

      yes if you are running XP, Vista or Win7/8

    • I'm pretty sure if you installed all the updates that came out this Tuesday, March 13, 2012, you are all set (since the patch for this vulnerability came with other patches this Tuesday).

  18. Padraic McGrath · 862 days ago

    upgrade to CentOS, Redhat or Ubuntu.

  19. Robert Wurzburg · 862 days ago

    In Windows XP, also go to Control Panel>Windows Firewall>Exceptions. Make sure
    that Remote Assistance and Remote Desktop are unchecked in your firewall!

  20. Darryl · 862 days ago

    Are you at risk if you are behind a router? As fast as I know, to get RDP working through a router, you have to manually open a port.

  21. Robert Wurzburg · 862 days ago

    In Windows XP, there is RDP. Go to Start>Programs>Accessories>Remote Desktop
    Connection. The RDP window opens where you can disable settings.

    In the Programs tab, the box to start a program should be unchecked with no data in
    the field.
    In the Advanced tab, under Server authentication, change the verification policy using
    the triangle to "Do not connect."
    Under "Connect from anywhere" click on Settings, the TS Gateway window opens.
    Under "Connection settings" change the TS Gateway to "Do not use a TS Gateway
    server" to close this port and decrease the attack surface. Click on OK when done,
    and restart your computer.

  22. Nancie Gaskins · 862 days ago

    Backdoor: Isass.exe hit my laptop already I cannot boot up, I do not have a start button. reading is Access denied. How can I boot my laptop up or how can I get my start button back? Please Help!!

    • mike · 861 days ago

      Take it to a certified tech. if you dont know how to repair a pc then don't, you will probably mess up the pc worse try to do it yourself. I repair pc's and don't know how many times people come in only after they totally screwed the pc up.

  23. Robert Wurzburg · 861 days ago

    Microsoft has offered an automated "Fix-It" solution to the related Desktop Protocol
    Session Vulnerability I commented about earlier, giving you the settings in Windows
    XP. These also work for Windows Vista.
    http://blogs.technet.com/b/srd/archive/2012/03/13...

    Links for the Microsoft "Fix-It" solutions can be found on this page above, together
    with more information about the processes, vulnerabilities and threat mitigation.

  24. Paul · 861 days ago

    Use a Mac instead! Why torture yourselves with Microsoft Windows junk?!

    • Anonymous P Body · 847 days ago

      From what I just read MAC users aren't as secure as they blindly believed they were and there is a major issue out right now that is showing mac users that they got a bit too comfy and confident.......

  25. TomComKnowsHow · 861 days ago

    You can easily reach the window, mentioned in this article, two ways. You can enter sysdm.cpl in the Run [programs] window from of the Start button on the Windows toolbar. Or, if you have a "My Computer" icon on your Windows desktop; right-click on the icon, scroll down to "Properties" then click on the "Remote" tab.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.