Path: ...!news.misty.com!weretis.net!feeder9.news.weretis.net!news.quux.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail From: Lawrence D'Oliveiro Newsgroups: comp.os.linux.advocacy,alt.comp.os.windows-11 Subject: Microsoft: =?UTF-8?B?4oCcSXTigJlzIE5vdCBBIEJ1ZywgSXTigJlz?= A =?UTF-8?B?RmVhdHVyZSHigJ0=?= Date: Wed, 30 Apr 2025 23:36:04 -0000 (UTC) Organization: A noiseless patient Spider Lines: 22 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Injection-Date: Thu, 01 May 2025 01:36:04 +0200 (CEST) Injection-Info: dont-email.me; posting-host="8b5e6c6ecf8478adae776b4071c5ce85"; logging-data="1396534"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18MBHUspiNQqCUYfh0tqM96" User-Agent: Pan/0.162 (Pokrosvk) Cancel-Lock: sha1:i3FeOh99SnyfJqqkhm7CZRNUeAQ= Bytes: 2157 Windows RDP is a mechanism for doing remote GUI logins to a Dimdows machine. It turns out that RDP has a “feature” whereby it continues to allow you to log in using an old password, even after that password has been revoked. Microsoft doesn’t seem to see this as a security issue at all: In response, Microsoft said the behavior is a “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.” As such, Microsoft said the behavior doesn’t meet the definition of a security vulnerability, and company engineers have no plans to change it. Not only that, the problem had been reported to the company by another security researcher nearly two years earlier: "We originally looked at a code change for this issue, but after further review of design documentation, changes to code could break compatibility with functionality used by many applications."