This week Microsoft confirmed that the Remote Desktop Link Manager (RDCMan) has been deprecated due to security issues.
The app has been around for decades and enables users to handle multiple remote desktop connections, but Microsoft has long invested in other solutions to provide remote desktop access to users.
The technology giant urged users instead in a support article published last year to migrate to inbox Remote Desktop Client (MSTSC) and universal Remote Desktop Client claiming RDCMan did’ not keep up with the advanced technology’ the company needed.
“These customers provide greater protection and are a core component of our innovation roadmap. You should expect even more capabilities in the future, such as the ability to manage multiple links better, “said Microsoft in July 2019.
This week, March 2020 Patch Tuesday, Microsoft announced that RDCMan was troubled by a leak of details that would not be resolved because the question was disregarded.
The vulnerability is monitored as CVE-2020-0765, if RDCMan misprints XML input containing references to an external entity. This could allow an attacker to read arbitrary files from an external XML entity (XXE) argument.
“A attacker could create an RDG file containing specifically crafted XML content to exploit the vulnerability and persuade an authenticated user to open the file,” Microsoft announced.
The security defect found to affect Remote Desktop Connection Manager 2.7 has a moderate gravity ranking without specifying mitigating factors. No solution was found for the problem either.
The technology company states however that it is not planning to release a bug fix and that the program has been discontinued.
“With supported remote desktop clients and caution on opening RDCMan configuration(.rdg) files, Microsoft recommends,” notes the service.
In March 2020, Microsoft fixed a total of 115 vulnerabilities, including 26 main Windows, Word, Dynamics Business Central, and its web browsers.
On Thursday, the company published out – of-band fixes in Windows Server Message Block 3.0 (SMBv3) to fix a remote code execution bug. Due to its essential nature, the problem is thought to be wormable.
