Tuesday, July 19, 2005
Until a patch is issued, Microsoft recommends that users close or block TCP port 3389, the port opened when the Remote Assistance service of its Microsoft Windows operating system (OS) is enabled. The Remote Assistance feature is a service of the OS that allows Internet Technology administrators of corporate workgroups remote access to other desktops to perform maintenance and other configuration tasks from their own computer. It can also be used by on-line tech support sites. A support assistant can go into a user’s machine, if the service is enabled, and themself make changes directly to another person’s computer to resolve an issue.
To initialize the remote assistance feature, the user of the helper computer must first make a request of the user of the target computer. Compliance must be granted by the user of the target machine, which then fully opens the communication port of the target machine to the helper computer. The operator of the helper computer then has control of target computer to make changes at will. The user of the target machine can watch in a separate window the actions of the helper, and either party to the session can end it at any time.
In a telephone conversation with a Microsoft representative Tuesday, it was learned that work to develop a security patch is underway, but when it will be available is unclear. It was cited that a patch must work consistently across multiple platform versions of the OS.
The vulnerability, thought at first to affect only Windows XP SP2, is now believed to affect all current Windows editions, including Windows 2000, Windows XP SP1, Windows XP Professional x64, Windows Server 2003, Windows Server 2003 SP1, and Windows Server x64.
The Remote Desktop Protocol (RDP) is not enabled by default, however if the service is enabled, a Denial of Service attack could cause the OS to restart unexpectedly according to Microsoft, or experience buffer overflows according to Symantec. The RDP is enabled by default on Windows XP Media Center Edition.
Microsoft suggests users block TCP port 3389 (the port used by RDP) on their firewall, or disable Terminal Services or Remote Desktop if not required by the user. The remote desktop connections could also be secured using either Internet Protocol Security or a virtual private network connection until a patch is ready.
To disable Remote Assistance on a Windows XP Edition, the steps are:
- click ‘Start’, right-click ‘My Computer’, select ‘Properties’
- select ‘Remote’ tab on top of the ‘Systems Properties’ window, clear checkbox that says “Allow Remote Assistance invitations to be sent from this computer.”
- click ‘Apply’ button
The group, Internet Storm Center, detected spikes in scanning for port 3389 beginning July 6. Larger numbers of systems scanned were reported on July 13. Crackers may be scanning for vulnerable machines, the group said.
“It’s a kernel vulnerability,” said VP of engineering for Symantec Alfred Huger, “so it will be difficult to exploit reliably. But he [the original discoverer] found the vulnerability with a commonly-used tool, so if he can find it, so can others. I don’t think it will turn it into a large-scale worm, but then, some kernel vulnerabilities have ended up as just that, like the Witty worm.”