Microsoft stopped RDCMan development due to a bug

Microsoft has stopped development of the Remote Desktop Connection Manager (RDCMan) application after it has been identified as vulnerability.

As the name suggests, this application allows remotely connecting to other Windows computers through RDP.

Windows Live Experience team developed it for the internal use, but since the late 2000s it has become available to everyone for download from the Microsoft website. Therefore, RDCMan has always been a standing alone tool, not included in Windows, but the application gained great popularity among system administrators in the late 2000s and early 2010s, and Microsoft continued to regularly release updates for it until 2014.

After the release of the built-in Windows MSTSC, as well as the official Remote Desktop application, it was announced that RDCMan support would be discontinued soon, and the company recommended switching to using these solutions, as their support has more functions and they are regularly updated.

“RDCMan is a client that is widely used to manage multiple remote desktop connections because it’s a convenient option. However, RDCMan has not kept pace with the level of advanced technology that we’re pursuing.” — said in Microsoft.

Nevertheless, RDCMan was still often used in corporate environments, in particular because it made possible conveniently manage multiple connections.

Now, after the March update set, RDCMan has ended. Microsoft stated that CVE-2020-0765, which was discovered in RDCMan, could allow attackers to steal data from users’ computers.

“An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration”, — said in Microsoft.

To exploit this bug, attacker had to create an RDG file containing XML and convince the authenticated user to open it.

Instead of fixing the vulnerability, Microsoft decided to fully abandon RDCMan support, without finding a reason to continue to support the application, which received the last update almost six years ago. Users are advised to stop using RDCMan as soon as possible.

Recall that at the beginning of the year Microsoft stopped supporting Windows 7 and released farewell updates. At the same time, My Digital Life forum community has found an illegal way to extend support for Windows 7.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *