Back in March last year, Microsoft said it will deprecate its Remote Desktop Connection Manager (RDCMan) after a security vulnerability was found in the software. However, earlier this year in February, it had a change of heart. Mark Russinovich, CTO of Microsoft Azure and co-creator of the Sysinternals utility suite, confirmed that RDCMan wouldn't be abandoned and it will now be a part of Sysinternals.
Earlier today, Microsoft also updated its CVE for the security issue found in RDCMan, stating that the problem has been fixed. The vulnerability was assigned the ID CVE-2020-0765 and the latest RDCMan v2.82 addresses the issue. Here's how Microsoft described the vulnerability:
An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration.
To exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file.
The new 2.82 version of RDCMan however wasn't released today and it has been part of the Sysinternals suite since July 27. Alongside the security fix, Microsoft has added that the RDCMan v2.82 update also "adds a toggle for bitmap caching and fixes a series of crashes".
For those who want to download the software, you can do so from the following page.
4 Comments - Add comment