SecurityvulnsSECURITYVULNS:DOC:22305Microsoft Security Bulletin MS09-044 - Critical Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927)
Microsoft Security Bulletin MS09-044 - Critical
Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927)
Published: August 11, 2009
Version: 1.0
General Information
Executive Summary
This security update resolves two privately reported vulnerabilities in Microsoft Remote Desktop Connection. The vulnerabilities could allow remote code execution if an attacker successfully convinced a user of Terminal Services to connect to a malicious RDP server or if a user visits a specially crafted Web site that exploits this vulnerability. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Important for default versions of RDP on affected editions of Windows Vista, Windows Vista for x64-based Systems, and Remote Desktop Connection Client for Mac 2.0 and is rated Critical for all default versions of RDP on all other affected Windows editions. This security update is rated Important for RDP Version 6.0 that administrators can manually install on Windows Server 2003 Service Pack 2 and Windows Server 2003 x64 Edition Service Pack 2 and is rated Critical for all other versions of RDP that administrators can manually install on affected Windows editions. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerabilities by changing the way the Remote Desktop Connection deals with unexpected parameters sent by the RDP server and by correctly validating parameters passed to the Remote Desktop Connection ActiveX control methods. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.
For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Known Issues. Microsoft Knowledge Base Article 970927 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.
Top of sectionTop of section
Affected and Non-Affected Software
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
Operating System Component Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
Microsoft Windows 2000 Service Pack 4
RDP Version 5.0 (KB958471)** and RDP Version 5.0 (KB958470)
RDP Version 5.1 (KB958470)***
RDP Version 5.2 (KB958470)***
Remote Code Execution
Critical
None
Windows XP Service Pack 2
RDP Version 5.1 (KB958470)
RDP Version 5.2 (KB958470)***
RDP Version 6.1 (KB956744)***
Remote Code Execution
Critical
None
Windows XP Service Pack 2
RDP Version 6.0 (KB956744)***
Remote Code Execution
Important
None
Windows XP Service Pack 3
RDP Version 6.1 (KB956744)
RDP Version 5.2 (KB958469)***
Remote Code Execution
Critical
None
Windows XP Professional x64 Edition Service Pack 2
RDP Version 5.2 (KB958469)
Remote Code Execution
Critical
None
Windows XP Professional x64 Edition Service Pack 2
RDP Version 6.1 (KB956744)***
Remote Code Execution
Critical
None
Windows Server 2003 Service Pack 2
RDP Version 5.2 (KB958469)
Remote Code Execution
Critical
None
Windows Server 2003 Service Pack 2
RDP Version 6.0 (KB956744)***
Remote Code Execution
Important
None
Windows Server 2003 x64 Edition Service Pack 2
RDP Version 5.2 (KB958469)
Remote Code Execution
Critical
None
Windows Server 2003 x64 Edition Service Pack 2
RDP Version 6.0 (KB956744)***
Remote Code Execution
Important
None
Windows Server 2003 with SP2 for Itanium-based Systems
RDP Version 5.2 (KB958469)
Remote Code Execution
Critical
None
Windows Vista
RDP Version 6.0 (KB956744)
Remote Code Execution
Important
None
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
RDP Version 6.1 (KB956744)
Remote Code Execution
Critical
None
Windows Vista x64 Edition
RDP Version 6.0 (KB956744)
Remote Code Execution
Important
None
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
RDP Version 6.1 (KB956744)
Remote Code Execution
Critical
None
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
RDP Version 6.1 (KB956744)
Remote Code Execution
Critical
None
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*
RDP Version 6.1 (KB956744)
Remote Code Execution
Critical
None
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
RDP Version 6.1 (KB956744)
Remote Code Execution
Critical
None
*Windows Server 2008 server core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 if Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.
**Customers of Microsoft Windows 2000 Service Pack 4 must install KB958471 prior to installing KB958470.
***Administrators may have manually installed this out-of-box download.
Affected Software
Software Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
Remote Desktop Connection Client for Mac 2.0**** (KB970927)
Remote Code Execution
Important
None
****This download upgrades Remote Desktop Connection Client for Mac 2.0 to Remote Desktop Connection Client for Mac 2.0.1, which addresses the vulnerability.
Non-Affected Software
Operating System
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Top of sectionTop of section
Frequently Asked Questions (FAQ) Related to This Security Update
Where are the file information details?
Refer to the reference tables in the Security Update Deployment section for the location of the file information details.
What are the known issues that customers may experience when installing this security update?
Microsoft Knowledge Base Article 970927 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.
What are the default installations of Remote Desktop Connection?
Many versions of Microsoft Windows are delivered with a default version of the Remote Desktop Connection (RDP) client. These versions are referred to as "in-box" components. However, a user or administrator may install more recent versions of the Remote Desktop Connection client. These more recent versions that you can install are referred to as "out of box" installations.
How can I determine the version of the RDP client installed on my system?
To determine your version of the RDP client, launch the RDP Client from the Start menu, click the top-left icon in the title bar, and select About.
Why does this update address several reported security vulnerabilities?
This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.
Customers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Top of sectionTop of section
Vulnerability Information
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the August bulletin summary. For more information, see Microsoft Exploitability Index.
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Operating System Component Remote Desktop Connection Heap Overflow Vulnerability - CVE-2009-1133 Remote Desktop Connection ActiveX Control Heap Overflow Vulnerability - CVE-2009-1929 Aggregate Severity Rating
Microsoft Windows 2000 Service Pack 4
RDP Version 5.0 (KB958471)** and RDP Version 5.0 (KB958470)
RDP Version 5.1 (KB958470)***
RDP Version 5.2 (KB958470)***
Critical
Remote Code Execution
Not applicable
Critical
Windows XP Service Pack 2
RDP Version 5.1 (KB958470)
RDP Version 5.2 (KB958470)***
Critical
Remote Code Execution
Not applicable
Critical
Windows XP Service Pack 2
RDP Version 6.0 (KB956744)***
Important
Remote Code Execution
Not applicable
Important
Windows XP Service Pack 2
RDP Version 6.1 (KB956744)***
Important
Remote Code Execution
Critical
Remote Code Execution
Critical
Windows XP Service Pack 3
RDP Version 5.2 (KB958469)***
RDP Version 6.1 (KB956744)
Important
Remote Code Execution
Critical
Remote Code Execution
Critical
Windows XP Professional x64 Edition Service Pack 2
RDP Version 5.2 (KB958469)
Critical
Remote Code Execution
Not applicable
Critical
Windows XP Professional x64 Edition Service Pack 2
RDP Version 6.1 (KB956744)***
Important
Remote Code Execution
Critical
Remote Code Execution
Critical
Windows Server 2003 Service Pack 2
RDP Version 5.2 (KB958469)
Critical
Remote Code Execution
Not applicable
Critical
Windows Server 2003 Service Pack 2
RDP Version 6.0 (KB956744)***
Important
Remote Code Execution
Not applicable
Important
Windows Server 2003 x64 Edition Service Pack 2
RDP Version 5.2 (KB958469)
Critical
Remote Code Execution
Not applicable
Critical
Windows Server 2003 x64 Edition Service Pack 2
RDP Version 6.0 (KB956744)***
Important
Remote Code Execution
Not applicable
Important
Windows Server 2003 with SP2 for Itanium-based Systems
RDP Version 5.2 (KB958469)
Critical
Remote Code Execution
Not applicable
Critical
Windows Vista
RDP Version 6.0 (KB956744)
Important
Remote Code Execution
Not applicable
Important
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
RDP Version 6.1 (KB956744)
Important
Remote Code Execution
Critical
Remote Code Execution
Critical
Windows Vista x64 Edition
RDP Version 6.0 (KB956744)
Important
Remote Code Execution
Not applicable
Important
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
RDP Version 6.1 (KB956744)
Important
Remote Code Execution
Critical
Remote Code Execution
Critical
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
RDP Version 6.1 (KB956744)
Important
Remote Code Execution
Critical
Remote Code Execution
Critical
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*
RDP Version 6.1 (KB956744)
Important
Remote Code Execution
Critical
Remote Code Execution
Critical
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
RDP Version 6.1 (KB956744)
Important
Remote Code Execution
Critical
Remote Code Execution
Critical
*Windows Server 2008 server core installation not affected. The vulnerability addressed by this update does not affect supported editions of Windows Server 2008 if Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.
**Customers of Microsoft Windows 2000 Service Pack 4 must install KB958471 prior to installing KB958470.
***Administrators may have manually installed this out-of-box download.
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Software Remote Desktop Connection Heap Overflow Vulnerability – CVE-2009-1133 Remote Desktop Connection ActiveX Control Heap Overflow Vulnerability – CVE-2009-1929 Aggregate Severity Rating
Remote Desktop Connection Client for Mac 2.0**** (KB970927)
Important
Remote Code Execution
Not applicable
Important
****This software upgrades Remote Desktop Connection Client for Mac 2.0 to Remote Desktop Connection Client for Mac 2.0.1, which addresses the vulnerability.
Top of sectionTop of section
Remote Desktop Connection Heap Overflow Vulnerability - CVE-2009-1133
A remote code execution vulnerability exists in the way that Microsoft Remote Desktop Connection (formerly known as Terminal Services Client) processes specific parameters returned by the RDP server. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs or view, change, or delete data; or create new accounts with full user rights.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-1133.
Mitigating Factors for Remote Desktop Connection Heap Overflow Vulnerability - CVE-2009-1133
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
•
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
•
RDP servers are not affected by this vulnerability. Only RDP clients are affected.
•
RDP Version 6.0 and RDP Version 6.1 do not allow the vulnerability to be exploited by a malicious Web site invoking the RDP ActiveX control, causing it to connect to a malicious RDP server. RDP Version 6.0 and RDP Version 6.1 are rated Important for this vulnerability.
Top of sectionTop of section
Workarounds for Remote Desktop Connection Heap Overflow Vulnerability - CVE-2009-1133
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
•
Restrict access to mstscax.dll
Note You must be an administrator to use these commands.
Windows XP
Run the following commands from a command prompt:
cacls %windir%\system32\mstscax.dll /E /P everyone:N
cacls %windir%\sysWOW64\mstscax.dll /E /P everyone:N
Windows Vista and Windows Server 2008
Run the following commands from an elevated command prompt:
takeown /F %windir%\system32\mstscax.dll
cacls %windir%\system32\mstscax.dll /E /P everyone:N
takeown /F %windir%\SysWOW64\mstscax.dll
cacls %windir%\SysWOW64\mstscax.dll /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\mstscax.dll') DO takeown /F %G && cacls %G /E /P everyone:N
Impact of workaround.After performing these steps, you will not be able to make outbound Remote Desktop connections.
How to undo the workaround.
Note You must be an administrator to use these commands.
Windows XP
Run the following commands from a command prompt:
cacls %windir%\system32\mstscax.dll /E /R everyone
cacls %windir%\SysWOW64\mstscax.dll /E /R everyone
Windows Vista and Windows Server 2008
Run the following commands from an elevated command prompt:
cacls %windir%\system32\mstscax.dll /E /R everyone
cacls %windir%\SysWOW64\mstscax.dll /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\mstscax.dll') DO cacls %G /E /R everyone
Top of sectionTop of section
FAQ for Remote Desktop Connection Heap Overflow Vulnerability - CVE-2009-1133
What is the scope of the vulnerability?
This vulnerability could allow remote code execution. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.
What causes the vulnerability?
A remote code execution vulnerability exists in the way the Microsoft Remote Desktop Connection processes specific parameters returned by the RDP server. This issue results in a heap overflow on the client which can be leveraged by the attacker to execute arbitrary code with the privileges of the logged-in user.
What is the Microsoft Remote Desktop Protocol?
The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Microsoft Windows-based applications running on a server. RDP is based on, and an extension of, the ITU T.120 family of protocols. RDP is a multiple-channel capable protocol that allows for separate virtual channels for carrying device communication and presentation data from the server, as well as encryption of the session. RDP provides an extensible base and supports up to 64,000 separate channels for data transmission and provisions for multipoint transmission. On some platforms, Microsoft Remote Desktop Connection is called Terminal Services Client.
RDP is implemented in the Windows platform as follows:
•
Windows Server 2008 and Windows Vista with Service Pack 1: Uses RDP Version 6.1 for Remote Desktop Connection.
•
Windows Vista: Uses RDP Version 6.0 for Remote Desktop Connection.
•
Windows XP Service Pack 3: Uses RDP Version 6.1 for Remote Desktop Connection and for Remote Assistance.
•
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2: Uses RDP Version 5.2 for Remote Desktop Connection and for Remote Assistant. Remote Desktop Web Connection supports RDP Version 5.2 and is backward compatible with RDP Versions 5.1 and 5.0. In addition, an out-of-box update is available which implements RDP Version 6.0 on these platforms.
•
Windows XP Service Pack 1 and Windows XP Service Pack 2: Uses RDP Version 5.1 for Remote Desktop Connection and for Remote Assistant. Windows XP also includes Remote Desktop Web Connection, which is an updated version of the Terminal Services Advanced Client (TSAC), an RDP client based on a Microsoft ActiveX control. Remote Desktop Web Connection supports RDP Version 5.1 and is backward compatible with RDP Version 5.0. In addition, two out-of-box updates are available which implement RDP Version 6.0 and RDP Version 6.1 on Windows XP Service Pack 2 respectively.
•
Windows 2000: Terminal Services includes enhanced RDP Version 5.0.
Why is this vulnerability Critical for all versions of RDP and all affected platforms with the exceptions of RDP Version 6.0 and RDP Version 6.1 on <platform>?
This vulnerability is rated Critical for RDP Version 5.0, RDP Version 5.1, and RDP Version 5.2 because of a specific attack scenario applicable to these RDP versions. In this attack scenario, an attacker could host a specially crafted Web site that is designed to exploit this vulnerability. Such a Web site could invoke the RDP ActiveX control and cause the control to connect to a malicious RDP server. This attack vector does not apply to RDP Version 6.0 and RDP Version 6.1 for the vulnerability described in CVE-2009-1133.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
How could an attacker exploit the vulnerability?
An attacker could convince a user to connect to a malicious RDP server, or could perform a man-in-the-middle attack and subsequently exploit this vulnerability on the Remote Desktop Connection client.
In addition, an attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site. This web site could invoke the RDP client ActiveX control and subsequently have it connect to a malicious server which exploits the vulnerability.
What systems are primarily at risk from the vulnerability?
Clients intended to connect to terminal servers are particularly affected by this vulnerability.
What does the update do?
This security update addresses the vulnerability by changing the way that the Remote Desktop Connection deals with unexpected parameters sent by the RDP server.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No, Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Top of sectionTop of section
Top of sectionTop of section
Remote Desktop Connection ActiveX Control Heap Overflow Vulnerability - CVE-2009-1929
A remote code execution vulnerability exists in the Microsoft Terminal Services Client ActiveX control. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited that page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-1929.
Mitigating Factors for Remote Desktop Connection ActiveX Control Heap Overflow Vulnerability - CVE-2009-1929
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
•
RDP Version 5.0, RDP Version 5.1, RDP Version 5.2, RDP Version 6.0, and Remote Desktop Connection Client for Mac 2.0 are not affected by this vulnerability.
•
By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
•
By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.
•
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
•
The malicious file could be sent as an e-mail attachment, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability.
•
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
•
RDP servers are not affected by this vulnerability. Only RDP clients are affected.
Top of sectionTop of section
Workarounds for Remote Desktop Connection ActiveX Control Heap Overflow Vulnerability - CVE-2009-1929
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
•
Prevent the Remote Desktop Connection ActiveX control from running in Internet Explorer
You can disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
For detailed steps that you can use to prevent an ActiveX control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797.
Follow these steps to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.
Create a text file named Disable_Remote_Desktop_ActiveX.reg with the following contents:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}]"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2}] "Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2}]"Compatibility Flags"=dword:00000400
Apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy.
For more information about Group Policy, visit the following Microsoft Web sites:
Group Policy collection
What is Group Policy Object Editor?
Core Group Policy Tools and Settings
Note You must restart Internet Explorer for your changes to take effect.
Impact of workaround. Users will not be able to start remote desktop connections from within Web pages.
How to undo the workaround. This workaround cannot be undone.
•
Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones
You can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.
To raise the browsing security level in Internet Explorer, follow these steps:
On the Internet Explorer Tools menu, click Internet Options.
In the Internet Options dialog box, click the Security tab, and then click Internet.
Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.
Note If no slider is visible, click Default Level, and then move the slider to High.
Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.
Impact of workaround. There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".
•
Restrict Web sites to only your trusted Web sites
After you set Internet Explorer to require a prompt before it runs ActiveX controls in the Internet zone and in the local Intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you only add sites that you trust to the Trusted sites zone.
In Internet Explorer, on the Tools menu, click Internet Options.
Click the Security tab, click Internet, and then click Default level.
Move the slider to High, and then click OK.
On the Tools menu, click Internet Options.
Click the Security tab.
Click Trusted sites.
Click Sites.
If the sites that you want to add do not require server verification, click to clear the Require server verification (https:) for all sites in this zone check box.
Type the address of the Web site you want to add to the Trusted sites list.
Click Add.
Repeat steps 6 and 7 for each Web site that you want to add.
Click OK two times.
•
Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is "*.windowsupdate.microsoft.com" (without the quotation marks). This is the site that will host the update, and it requires an ActiveX control to install the update.
•
Configure Internet Explorer to prompt before running ActiveX controls or disable ActiveX controls in the Internet and Local intranet security zones
You can set Internet Explorer to require a prompt before it runs ActiveX controls in the Internet zone and in the local Intranet zone. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround.
In Internet Explorer, on the Tools menu, click Internet Options.
In the Internet Options dialog box, click the Security tab, click Internet, and then click Custom Level.
Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt.
In the Scripting section, under Active Scripting, click Prompt, and then click OK.
Click Local intranet, and then click Custom Level.
Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt.
In the Scripting section, under Active Scripting, click Prompt, and then click OK.
Impact of workaround. There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements.
Top of sectionTop of section
FAQ for Remote Desktop Connection ActiveX Control Heap Overflow Vulnerability - CVE-2009-1929
What is the scope of the vulnerability?
This vulnerability could allow remote code execution. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.
What causes the vulnerability?
The Remote Desktop Web Connection ActiveX control methods do not perform sufficient parameter validation.
What is the Remote Desktop Web Connection ActiveX control?
The Remote Desktop Web Connection ActiveX control allows you to access your computer, via the Internet, from another computer using Internet Explorer.
What is the Microsoft Remote Desktop Protocol?
The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Microsoft Windows-based applications running on a server. RDP is based on, and an extension of, the ITU T.120 family of protocols. RDP is a multiple-channel capable protocol that allows for separate virtual channels for carrying device communication and presentation data from the server, as well as encryption of the session. RDP provides an extensible base and supports up to 64,000 separate channels for data transmission and provisions for multipoint transmission. On some platforms, Microsoft Remote Desktop Connection is called Terminal Services Client.
RDP is implemented in the Windows platform as follows:
Windows Server 2008 and Windows Vista with Service Pack 1: Uses RDP 6.1 for Remote Desktop Connection.
Windows Vista: Uses RDP 6.0 for Remote Desktop Connection.
Windows XP Service Pack 3: Uses RDP 6.1 for Remote Desktop Connection and for Remote Assistance.
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2: Uses RDP 5.2 for Remote Desktop Connection and for Remote Assistant. Remote Desktop Web Connection supports RDP 5.2 and is backward compatible with RDP 5.1 and 5.0. In addition, an out-of-box update is available which implements RDP 6.0 on these platforms.
Windows XP Service Pack 1 and Windows XP Service Pack 2: Uses RDP 5.1 for Remote Desktop Connection and for Remote Assistant. Windows XP also includes Remote Desktop Web Connection, which is an updated version of the Terminal Services Advanced Client (TSAC), an RDP client based on a Microsoft ActiveX control. Remote Desktop Web Connection supports RDP 5.1 and is backward compatible with RDP 5.0. In addition, two out-of-box update is available which implement RDP 6.0 and RDP 6.1 on Windows XP Service Pack 2 respectively.
Windows 2000: Terminal Services includes enhanced RDP 5.0.
What is the Internet Explorer Enhanced Security Configuration?
Internet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or of an administrator downloading and running specially crafted Web content on a server. Internet Explorer Enhanced Security Configuration reduces this risk by modifying many security-related settings. This includes the settings on the Security tab and the Advanced tab in the Internet Options dialog box. Some of the important modifications include the following:
•
Security level for the Internet zone is set to High. This setting disables scripts, ActiveX controls, Microsoft Java Virtual Machine (MSJVM), and file downloads.
•
Automatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Local intranet zone to the Internet zone.
•
Install On Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.
•
Multimedia content is disabled. This setting prevents music, animations, and video clips from running.
For more information regarding Internet Explorer Enhanced Security Configuration, see the guide, Managing Internet Explorer Enhanced Security Configuration.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code on a users system. This could allow an attacker to take complete control of the affected system.
How could an attacker exploit the vulnerability?
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site. The web site would invoke the vulnerable ActiveX control and subsequently exploit the vulnerability.
Malicious Web sites can also include Web sites that accept user-provided content or advertisements, Web sites that host user-provided content or advertisements, and compromised Web sites. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
What systems are primarily at risk from the vulnerability?
This vulnerability requires that a user view Web sites for any malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as users’ workstations or terminal servers, are at the most risk from this vulnerability.
Clients that are being used to connect to web based Terminal Services (RDP) servers are particularly affected by this vulnerability, as they will have the control installed and operational. Other clients may be affected if they have the control installed, or may become affected if the users accepts installation of the control by a malicious web server.
Customers who have installed RDP 6.1 on Windows XP Service Pack 2 as an out-of-box download are also vulnerable to this vulnerability. In such case, the severity rating is also Critical on Windows XP Service Pack 2.
What does the update do?
The update removes the vulnerability by correctly validating parameters for the Remote Desktop Web Connection ActiveX control methods.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No, Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Other Information
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
•
Wushi of Team509, working with Zero Day Initiative, for reporting the Remote Desktop Connection Heap Overflow Vulnerability (CVE-2009-1133)
•
Yamata Li for reporting the Remote Desktop Connection ActiveX Control Heap Overflow Vulnerability (CVE-2009-1929)
Top of sectionTop of section
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
Support
•
Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
•
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
•
V1.0 (August 11, 2009): Bulletin published.
Related
