| Deutsch English Français Italiano |
|
<vuuc53$1ajpm$1@dont-email.me> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!news.misty.com!weretis.net!feeder9.news.weretis.net!news.quux.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: Lawrence D'Oliveiro <ldo@nz.invalid>
Newsgroups: comp.os.linux.advocacy,alt.comp.os.windows-11
Subject: Microsoft: =?UTF-8?B?4oCcSXTigJlzIE5vdCBBIEJ1ZywgSXTigJlz?= A
=?UTF-8?B?RmVhdHVyZSHigJ0=?=
Date: Wed, 30 Apr 2025 23:36:04 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 22
Message-ID: <vuuc53$1ajpm$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 01 May 2025 01:36:04 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="8b5e6c6ecf8478adae776b4071c5ce85";
logging-data="1396534"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18MBHUspiNQqCUYfh0tqM96"
User-Agent: Pan/0.162 (Pokrosvk)
Cancel-Lock: sha1:i3FeOh99SnyfJqqkhm7CZRNUeAQ=
Bytes: 2157
Windows RDP is a mechanism for doing remote GUI logins to a Dimdows
machine. It turns out that RDP has a “feature” whereby it continues to
allow you to log in using an old password, even after that password
has been revoked.
Microsoft doesn’t seem to see this as a security issue at all:
In response, Microsoft said the behavior is a “a design decision
to ensure that at least one user account always has the ability to
log in no matter how long a system has been offline.” As such,
Microsoft said the behavior doesn’t meet the definition of a
security vulnerability, and company engineers have no plans to
change it.
Not only that, the problem had been reported to the company by another
security researcher nearly two years earlier:
"We originally looked at a code change for this issue, but after
further review of design documentation, changes to code could
break compatibility with functionality used by many applications."
<https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/>