Remote Desktop Connection Manager is back after receiving important security update
Last year, Microsoft issued advice to stop using Remote Desktop Connection Manager (RDCMan) and turn to either Remote Desktop Connection or a universal Remote Desktop client instead.
The advice came after Microsoft deprecated RDCMan following the discovery of a serious security vulnerability which the company had said would not be fixed. But having been made part of the Windows Sysinternals tools collection, a fix has now been issued meaning that RDCMan is now safe to use once again.
- Microsoft finally fixes PrintNightmare vulnerability with KB5005031 and KB5005033 updates
- Microsoft releases KB5004296 update for Windows 10 to fix game performance problems and more
- Windows 10 will block Potentially Unwanted Applications by default
The information disclosure vulnerability, tracked as CVE-2020-0765, bore the following description: "An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration".
Microsoft points out that in order to exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file.
In addition to this, the company said:
Microsoft is not planning on fixing this vulnerability in RDCMan and has deprecated the application. Microsoft recommends using supported Remote Desktop clients and exercising caution when opening RDCMan configuration files (.rdg).
But now an update has been posted which informs users that:
RDCMan 2.82 is available through Sysinternals Remote Desktop Connection Manager - Windows Sysinternals | Microsoft Docs. This vulnerability has been addressed in this new version.