13 hours ago
2
Microsoft apparently has no plans to fix a security flaw that leaves machines vulnerable using Windows Remote Desktop Protocol (RDP). In a recent report submitted to the Microsoft Security Response Center by Daniel Wade, the current configuration of Windows RDP will allow users to access machines to using old, cached passwords even if they have been updated or changed.
This makes it impossible to prevent access to machines using RDP by changing the password. Old cached passwords will still allow a successful login which is a huge security concern. Despite the glaring open backdoor, Microsoft has insisted that this is intentional and the company has no plans to change the way this function operates as it provides a method for users to never be completely locked out of their machine.
Microsoft has their own definition of what qualifies as a "security vulnerability" and claims that this does not count as a vulnerability. The feature was intentionally designed to make sure users could access a given machine through RDP even after it's been offline for a long period of time. Despite the concern, the feature is not optional and cannot be disabled.
Wade described the security concern has a breakdown of trust. When it comes to information security, changing a password is generally perceived as a surefire way to terminate access to a given account when they're authenticated using any previous password. In this case, you can't prevent access using old passwords and receive no warning that the old passwords are still valid when using RDP.
This is especially concerning in situations where passwords have been publicly compromised. Because there's no way to eliminate the RDP authorization with them, would be hackers can technically gain access to the machine with the account owner being none the wiser.
Microsoft has been aware of the issue for some time, citing a previous report from August of 2023. Although the issue was investigated back then, the decision was ultimately made to not to change the way it functions out of concern for compatibility issues it could face with existing applications.
Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
English (US) ·