Microsoft has added its Android Remote Desktop Protocol (RDP) app to the list of client software that needs updating to fix a security flaw first made public as part of July’s Patch Tuesday.
The flaw, tracked as CVE-2019-1108, was described as an information disclosure issue that could allow an attacker “to connect remotely to an affected system and run a specially crafted application.”
Although the rating made it sound less urgent, attackers are known to be very interested in RDP weaknesses, hence Microsoft’s caution that that exploitation was “more likely.”
The fix? To apply the relevant patch for the Windows version in question (KB4507453 in the case of Windows 10 64-bit version 1903).
In a quiet update this week, Microsoft now says the same applies to its popular Android RDP app too, which can be fixed by downloading the latest version from Google’s Play Store.
It’s the sort of issue that would be easy to overlook until the app eventually updates itself, possibly days later.
RDP pain
Microsoft has found itself with a large amount of RDP-related patching work during 2019.
Only last week, August’s Patch Tuesday fixed two ‘wormable’ Remote Desktop Services (RDS, which uses RDP) vulnerabilities with a critical rating, CVE-2019-1181 and CVE-2019-1182.
Before that, of course, was the big RDP flaw of the year so far, CVE-2019-0708, better known as BlueKeep.
As far as we know, no exploits for that are in use but most people think it’s only a matter of time before criminals make their move.
And all this is before you factor in the general problem of brute-forcing attacks on machines running poorly secured RDP. (For background data on this see Sophos’s recent research, RDP Exposed – The Threat That’s Already at Your Door.)
And this isn’t just for businesses, as Pro versions of Windows used by some home users come with remote desktop as a standard feature.
You can check whether this is running in Windows 10 by visiting Settings > System > Remote Desktop. If it is for some reason and you aren’t using it, our advice is to turn it off.