Microsoft is urging organisations to apply the single critical update in this month's Patch Tuesday release as soon as possible.
IT administrators who use RDP to manage their machines over the internet need to patch the vulnerability as quickly as possible, said Wolfgang Kandek, chief technology officer at security firm Qualys.
Besides the RDP bugs, he said this month's Patch Tuesday addressed five other vulnerabilities that are less severe and can be dealt with in normal patch cycles.
These are: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of a privileges issue in Microsoft Visual Studio.
Kandek said RDP is a popular method for controlling remote Windows machines, but it is not active by default on standard Windows installations. It needs to be configured and started by the system's owner, which then makes the vulnerability accessible.
"Consequently we expect that only a relatively small percentage of machines will have RDP up and running," Kandek said in a bog post.
However, he said the RDP vulnerability is accessible through the network, does not require authentication and allows code execution on the targeted machine, a combination highly prized by attackers.
"Microsoft has rated its exploitability index as 1, meaning that they expect working exploits to be out in fewer than 30 days," said Kandek.
Qualys has published the following recommendations for the RDP vulnerability:
1. Within the week apply the patch on your Windows machines that are running the RDP service and are internet-facing (you can scan for port 3389 on your perimeter if you do not have an updated map). Note that the patch requires a reboot to become active. If you cannot apply the patch or reboot your machines, take the following countermeasures:
- Configure the firewalls on the machines so that only trusted IPs can access port 3389;
- Activate the Network Layer Authentication (NLA) protocol, which does not have this vulnerability. NLA is available on Vista and above on the server side and client side, and Windows XP can be made NLA compatible by installing a software package from Microsoft.
2. Within the month patch the rest of your systems - both external and internal. While the main attack vector is directly through the internet, it is likely malware will be equipped with the exploit for the RDP vulnerability and that it will be used for internal malware propagation.