Update: 12th June 2019
Install the RDP patch if you have not already done so. Use the paid-for micropatch if you can’t take a system offline to reboot it. If you can’t do either of these follow Microsoft’s or the NSA’s advice to mitigate the vulnerability.
Meanwhile; multiple proof of concepts of who to exploit the vulnerability have been developed by security researchers:
This story continues with another security researcher creating a proof of concept Metasploit exploit for this vulnerability. The exploit works on Windows XP, Windows 7, Server 2008 and Server 2008 R2. Windows Server 2003 has the RDP vulnerability but the vulnerability couldn’t be exploited.
The NSA have since issued an advisory in addition to the two notifications from Microsoft linked to above.
As a proof of concept of how long it may take to patch a system; I used a VMware snapshot taken from a test Windows XP SP3 system I used back in 2012. The installation had no updates apart from SP3. After 40 minutes; all missing patches (2008 – 2014), the updates from 2017 (resolving EternalBlue; amongst others) and this year’s RDP update were installed. Patching the RDP vulnerability took less than a minute (including the restart and start-up of the system).
I repeated the above using the Automatic Updates feature of Windows XP. I was able to full patch the system in 30 minutes.
Systems which are better maintained than this would easily take less time (even if patched manually like I did); especially if tools such as WSUS or SCCM are used where vast number of systems can be patched very quickly.
Original Post: 4th June
Earlier this month Microsoft issued an update to resolve a critical vulnerability in Remote Desktop Services making use of the RDP protocol, port 3389.
TL DR: If you use Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 or Windows XP, if you have not done so already, please install this update.
Why should this vulnerability be considered important?
As Microsoft reminded us when issuing the patch; this vulnerability requires no authentication or user interaction. It has the potential to spread just like the WannaCry and NotPetya infections did in 2017. Windows 8.1 and Windows 10 (and their Server equivalents) are NOT vulnerable.
Robert Graham from Errata Security on the 28th of May issued a report of the scan results from a widespread scan of the internet. He found approximately 950,000 vulnerable systems.
How can I protect my organisation or myself from this vulnerability?
The easiest method is to install the update available from Microsoft.
For Windows Server 2003 or Windows XP and Windows Vista; the update must be manually downloaded and installed from this link below since this update was not made available by the previous automatic mechanisms these versions of Windows had namely, Microsoft Update, Automatic Updates and Windows Update.
If you cannot install this security update; you can protect from this vulnerability by following the Workarounds listed in this link. Further explanation from Microsoft is also available from this link.
Microsoft on the 30th and 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible. Meanwhile; at least proof of concepts of who to exploit the vulnerability have been developed by at least 3 security researchers.