remote access Archives

Winsage

May 15, 2025

Microsoft Copilot+ Recall: who should disable it, and how

Microsoft's Recall feature for Copilot+ PCs was initially announced a year ago but delayed due to privacy concerns raised by cybersecurity experts. The updated version was released in April 2025 for Windows Insider Preview builds and rolled out more broadly in May. Key updates include requiring user permission for activation, encrypting database files with hardware-based Trusted Platform Module (TPM), and implementing a filter to prevent saving sensitive information. Recall is enabled on a per-user basis, can be uninstalled, does not require a Microsoft account, and processes data locally. However, it still has vulnerabilities, such as allowing access with a regular Windows PIN after initial biometric authentication and failing to consistently filter sensitive data. Recall can log interactions during calls and capture self-destructing messages, posing privacy risks. It can impact performance and battery life, especially during gaming. Users handling sensitive data or frequently using video conferencing may want to disable or remove Recall. Instructions for disabling or removing Recall are provided, along with precautions for those who choose to use it.

Winsage

May 15, 2025

Windows Remote Desktop Gateway Vulnerability Let Attackers Trigger Dos Condition

The Microsoft Security Response Center (MSRC) has released critical security updates to address a significant vulnerability in the Windows Remote Desktop Gateway service, identified as CVE-2025-26677, which allows unauthorized attackers to cause denial of service (DoS) conditions. This vulnerability is rated as "High" severity with a CVSS score of 7.5 and affects multiple versions of Windows Server, including 2016, 2019, 2022, and 2025. Microsoft has provided security updates (KB5058383, KB5058392, KB5058385, and KB5058411) to rectify the issue. Additionally, another vulnerability, CVE-2025-29831, has been identified that could enable remote code execution (RCE) through a Use After Free weakness, also rated with a CVSS score of 7.5. This vulnerability requires user interaction, specifically an admin user to stop or restart the service, and affects Windows Server versions 2008 R2, 2012/R2, 2016, 2019, 2022, and 2025. Organizations are advised to prioritize patching both vulnerabilities and to review network configurations to limit exposure of Remote Desktop Gateway services. The vulnerabilities were discovered by security researchers from Kunlun Lab.

Tech Optimizer

May 12, 2025

Defendnot: A Tool That Disables Windows Defender by Registering as an Antivirus

Cybersecurity developers have created a tool called defendnot, which disables Windows Defender by utilizing undocumented Windows Security Center (WSC) APIs. This tool is a successor to the no-defender project, which was taken down due to DMCA challenges. The developer reverse-engineered WSC’s validation algorithms and identified Taskmgr.exe as a suitable process to host the necessary code. Defendnot persists across reboots by adding itself to Windows autorun and can be managed via a command-line interface with options to disable Windows Defender and Windows Firewall. Unlike its predecessor, defendnot does not use third-party antivirus code. Security experts warn that disabling protection mechanisms should only be done in controlled environments by knowledgeable users.

AppWizard

May 11, 2025

Scrutinizing the security of messaging apps continues.

Customs and Border Protection (CBP) and the White House are facing scrutiny over security vulnerabilities in their messaging application. Hacktivists breached GlobalX, the airline handling U.S. deportation flights, exposing sensitive flight manifests. The FBI warned about threats exploiting outdated routers. Pearson confirmed a cyberattack compromising customer data. Research shows cybercriminals are using Windows Remote Management (WinRM) for lateral movements in Active Directory environments. A new email attack campaign is delivering a Remote Access Trojan (RAT) via malicious PDF invoices. A zero-day vulnerability in SAP NetWeaver allows remote code execution, affecting multiple sectors. An Indiana health system reported a data breach affecting nearly 263,000 individuals.

AppWizard

May 9, 2025

You can now verify if your Mullvad VPN app is legit

Mullvad has introduced reproducible builds for its Android VPN application starting with version 2025.2, allowing users to confirm the legitimacy of the app before installation. Reproducible builds ensure that identical copies of the application can be recreated from the same source code, build environment, and instructions, providing assurance against unauthorized modifications. This decision follows a rise in malicious free VPN applications and malware distribution through counterfeit software. Currently, only the latest version of Mullvad's Android VPN app features this capability, with no confirmed plans for other platforms. Mullvad encourages technically skilled users to verify the builds and has provided instructions for the verification process.

Winsage

May 7, 2025

Microsoft has no plans to fix Windows RDP bug that lets you log in with old passwords

Microsoft has decided not to address a significant security flaw in the Windows Remote Desktop Protocol (RDP) that allows users to log in with outdated, cached passwords, even after those passwords have been changed. The company claims this behavior is intentional, designed to prevent users from being locked out of their machines. Microsoft does not consider this a security vulnerability, despite concerns that it creates a potential backdoor for unauthorized access. The issue has been known to Microsoft since at least August 2023, but they chose not to modify the functionality due to compatibility concerns with existing applications.

Winsage

May 2, 2025

Windows RDP has a major security problem, and Microsoft has refused to do anything about it

A significant vulnerability has been identified in the Windows Remote Desktop Protocol (RDP), which allows old credentials to remain functional even after a password reset. Security researcher Daniel Wade revealed that users can still access their systems with previously revoked credentials due to the authentication process relying on locally stored credentials that do not update in real-time. Microsoft's Security Response Center acknowledged this behavior but stated it is an intentional design to ensure at least one user account can log in, regardless of the system's online status. Microsoft has been aware of this issue since at least August 2023 and has chosen not to modify the code, citing potential compatibility issues.

Winsage

May 1, 2025

Windows RDP has a major security problem, and Microsoft has refused to do anything about it

A security flaw in Windows RDP allows previously revoked credentials to remain functional after a password reset, enabling users to access their PCs with old passwords. Microsoft does not classify this issue as a bug, stating it is an intentional design to ensure at least one user account can always log in. This behavior is not flagged by Microsoft Defender, Azure, or Entra ID, and the company's documentation lacks clarity on the matter. Microsoft has been aware of this issue since at least August 2023 but has chosen not to modify the code, citing potential compatibility issues.

Winsage

May 1, 2025

Windows Warning — Microsoft Confirms Old Passwords Still Work To Login

Microsoft has confirmed that users can log into their Windows accounts using old passwords that have been changed and revoked under certain conditions. This behavior is classified as a feature rather than a security vulnerability. The issue arises from the Remote Desktop Protocol (RDP), which allows remote access to Windows machines. An independent security researcher discovered that after changing his password, he could still access his machine using the old credentials, even from new devices. Microsoft's documentation was updated to explain that credentials are verified against a local cached copy before network authentication, allowing continued access with the old password. Microsoft stated that this design ensures at least one user account can always log in, regardless of system offline status, and confirmed there are no plans to change this behavior.

Winsage

April 30, 2025

Windows RDP lets you log in using revoked passwords. Microsoft is OK with that.

The ability to use a revoked password for Remote Desktop Protocol (RDP) access on Windows machines linked to Microsoft or Azure accounts allows users to log in with either a dedicated password or the credentials from their online account. Even after changing the account password, the old password remains valid for RDP logins indefinitely, and in some cases, multiple previous passwords may still grant access. This behavior poses significant security risks, especially if the account has been compromised, as changing the password does not block access via RDP with the old password. The issue arises from credential caching on the local machine, where the initial login credentials are stored securely, allowing continued access without online verification.