| Deutsch English Français Italiano |
|
<vuv6ak$ucma$1@dont-email.me> View for Bookmarking (what is this?) Look up another Usenet article |
Path: news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail From: T <T@invalid.invalid> Newsgroups: comp.os.linux.advocacy,alt.comp.os.windows-11 Subject: =?UTF-8?B?UmU6IE1pY3Jvc29mdDog4oCcSXTigJlzIE5vdCBBIEJ1ZywgSXTigJlz?= =?UTF-8?Q?_A_Feature!=E2=80=9D?= Date: Thu, 1 May 2025 00:02:44 -0700 Organization: A noiseless patient Spider Lines: 26 Message-ID: <vuv6ak$ucma$1@dont-email.me> References: <vuuc53$1ajpm$1@dont-email.me> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Date: Thu, 01 May 2025 09:02:45 +0200 (CEST) Injection-Info: dont-email.me; posting-host="b8d6a6d2b470d17e0064d0b3bd9ae59e"; logging-data="996042"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX191U/TQXx3fCM498dq0bfu/XSUz2iBTDsY=" User-Agent: Betterbird (Linux) Cancel-Lock: sha1:XvdwzsTFfxZQ9aLatgtLRd8DHpE= Content-Language: en-US In-Reply-To: <vuuc53$1ajpm$1@dont-email.me> On 4/30/25 4:36 PM, Lawrence D'Oliveiro wrote: > Windows RDP is a mechanism for doing remote GUI logins to a Dimdows > machine. It turns out that RDP has a “feature” whereby it continues to > allow you to log in using an old password, even after that password > has been revoked. > > Microsoft doesn’t seem to see this as a security issue at all: > > In response, Microsoft said the behavior is a “a design decision > to ensure that at least one user account always has the ability to > log in no matter how long a system has been offline.” As such, > Microsoft said the behavior doesn’t meet the definition of a > security vulnerability, and company engineers have no plans to > change it. > > Not only that, the problem had been reported to the company by another > security researcher nearly two years earlier: > > "We originally looked at a code change for this issue, but after > further review of design documentation, changes to code could > break compatibility with functionality used by many applications." > > <https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/> This does not pass the stink test.