The MS12-020 vulnerability for which Microsoft released a patch yesterday is about as bad as you can get. The vulnerability requires *no* authentication, can be exploited from *any network* that has connectivity to a Remote Desktop Protocol (RDP) service, and gives an attacker a full GUI at the super-user level (the SYSTEM account on Windows). Game. Over.
Those who haven’t patched yet fall into one of three categories: those who are crazy, those who enjoy getting hacked, or those who are blissfully unaware of this vulnerability and its implications. For those in the last category, you won’t be blissfully unaware for long. Microsoft’s Security Research Team expects a working exploit to be published as soon as seven days from now, and likely within one month. If you have more than a handful of servers to patch, you better get started patching NOW!
The Sourcefire VRT already has signatures in place to detect attempts to exploit this vulnerability, and since True gets the VRT feed updates at least daily, True Digital Security’s Network Security Monitoring customers will be alerted if an attack happens. However, an IDS can’t prevent the attack, only warn that it has likely happened. Consequently, TRUE is recommending that all of our clients apply the MS12-020 patch immediately.
Further recommendation: If you have RDP open to the Internet, now is the perfect time to close that firewall hole and require VPN access as your single entry-point to the internal network from the Internet.
True’s Red Team expects Metasploit to have an exploit for this within a month. They also did a little happy dance when they realized that (unfortunately) they will be using this vulnerability for years to come to gain access during penetration tests.