At the present time, there is no hotfix or patch to correct this vulnerability.

From the bulletin:

In which [...]]]> Microsoft released a security bulletin this past weekend concerning a vulnerability in the Remote Desktop Protocol that may lead to a Denial of Service (DoS) attack.. Note that this vulnerability will not allow remote access to your computer.

At the present time, there is no hotfix or patch to correct this vulnerability.

From the bulletin:

In which Microsoft products is RDP implemented?
In general, RDP is the underlying protocol for Windows features that allows remote desktop sessions. For instance:
• Terminal Services in Windows 2000 and Windows Server 2003 implement RDP. For more information about Terminal Services and RDP, visit the following Web site.
• Remote Desktop Sharing in Windows XP implements RDP. For more information about the Remote Desktop feature in Windows XP, visit the following Web site.

How could an attacker attempt to exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially crafted Remote Desktop request and sending the request to an affected system.

What might an attacker use this vulnerability to do?
If an attack were successful, receipt of such a malformed Remote Desktop request could cause the vulnerable system to fail in such a way that it could cause a denial of service. Our investigation has determined that this is limited to a denial of service, and therefore an attacker could not use this vulnerability to take complete control of a system.

NOTE THAT WINDOWS XP PROFESSIONAL AND WINDOWS XP HOME EDITION ARE AFFECTED. Windows XP Home Edition is affected since the Remote Assistance solution uses RDP in connecting and controlling other machines…

Workarounds:

• Block TCP port 3389 at the firewall.
• Disable Terminal Services or the Remote Desktop feature if they are not required.
• Secure Remote Desktop Connections by using an IPsec policy.
• Secure Remote Desktop Connections by employing a Virtual Private Network (VPN) connection.

Of these options, the final workaround will be the easiest for most end users to implement. If you do not wish to use the built-in PPTP server, consider using something like SSL-Explorer which sets up a VPN based on SSL tunnels.

Click here for the security bulletin.
Click here for the KB article that will describe the proposed fix when released.

Tags: Remote Desktop, Security

Remote Desktop for Mobiles it is easy-to-use, reliable and secure remote control software which will allow you to work on the remote home or office computer [...]]]> While anxiously awaiting the firmware update for the Motorola MPx220 smartphone, I found the following new program that will run on any Java J2ME-enabled phone: Remote Desktop for Mobiles

Remote Desktop for Mobiles it is easy-to-use, reliable and secure remote control software which will allow you to work on the remote home or office computer from your mobile phone. You will see the screen of the remote computer on your mobile phone and also you can operate mouse and keyboard of the remote computer. Additional features of Remote Desktop for Mobiles allow you to execute any console commands on the remote computer and receive result to mobile phone. In addition has a set of commands for getting a system information and perform management of system.

This sounds intriguing, but using Remote Desktop on such a small device would leave much to be desired…

Also, I acquired through third party sources one of the Dell Axim X50v Pocket PCs. This is one is a VGA based device (640×480). What is nice is that the Remote Desktop client for the Pocket PC is VGA enabled, thus actually making it usable…

Tags: RemoteDesktop

Go check it out.

Tags: RemoteDesktop, SSH

Some tools I especially like are:

I have found at least one answer to this problem! In Windows Server 2003 (only), there is a new group policy setting called Restrict Terminal Services Users to a Single Remote Session. [...]]]> Darrell Norton over at dotnetjunkies posted a useful tip for those of you who frequently use Windows 2003 Remote Desktop Sessions:

I have found at least one answer to this problem! In Windows Server 2003 (only), there is a new group policy setting called Restrict Terminal Services Users to a Single Remote Session. In the Group Policy snap-in, it is located under (Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Terminal Services). Set the state to Enabled, and people won’t be able to have two connections. So they will either reconnect to their session, or come complain for help. But you won’t be locked out!

If the users just don’t understand the difference between Disconnect and Logoff, another useful policy is Remove Disconnect Option from Shut Down Dialog. Then the only way to disconnect is to close the Remote Desktop Window.� But doing that will popup a dialog box that tells the user the session will still be active.

[Darrell Norton’s Blog]