Jump to content
  • Microsoft revives deprecated RDCMan after fixing security flaw


    Karlston

    • 699 views
    • 2 minutes
     Share


    • 699 views
    • 2 minutes

    Microsoft has revived the Remote Desktop Connection Manager (RDCMan) app that was deprecated last year due to an important severity information disclosure bug the company decided not to fix.

     

    RDCMan is a Windows RDP (Remote Desktop Protocol) client used by system admins to manage multiple remote desktop connections.

     

    After discontinuing the app, Microsoft advised customers to switch to Windows built-in Remote Desktop Connection (%windir%\system32\mstsc.exe) or the universal Remote Desktop client.

     

    "An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity," Microsoft explained in the March 2020 security advisory.

     

    "An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration."

     

    Attackers could exploit the bug (tracked as CVE-2020-0765) by tricking authenticated targets into opening RDG files containing maliciously crafted XML content.

    RDCMan revived as a Sysinternals tool

    However, as Microsoft Azure CTO Mark Russinovich revealed earlier this year, the company added RDCMan to the Windows Sysinternals toolkit and released version 2.8 in late June.

     

    "Good news for RDCMan (Remote Desktop Connection Manager) fans (like me): we've saved it from abandonment by bringing into Sysinternals," Russinovich said in February, confirming the tool's revival. "Look for its Sysinternals debut in the near future."

     

     

    While the company didn't share any details on the security flaw addressed in RDCMan 2.8, the patched vulnerability was not the one that led to the app being discontinued last year.

     

    Microsoft disclosed today in an update to the initial security advisory that the flaw was fixed in RDCMan 2.82, released on July 27 through the Sysinternals documentation website.

     

    The new Remote Desktop Connection Manager version runs on Windows 8.1 and higher or Windows Server 2012 and higher.

     

    "User with OS versions prior to Win7/Vista will need to get version 6 of the Terminal Services Client," Microsoft says. "You can obtain this from the Microsoft Download Center: XP; Win2003."

     

     

    Microsoft revives deprecated RDCMan after fixing security flaw


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...