Security researcher Dan Kaminsky (right) has identified approximately five million internet-accessible RDP endpoints that are potentially sitting ducks for a network worm exploiting the MS12-020 vulnerability.
Kaminsky, best known for his work finding -- and helping to fix -- a flaw in the DNS infrastructure, scanned 300 million IP addresses (approximately 8.3% of the Internet) and found about 415,000 "speaking the RDP protocol."
"Extrapolating from this sample, we can see that there’s approximately five million RDP endpoints on the Internet today," Kaminsky warned.
He noted that some of those endpoints may already have applied the MS12-020 patch, which provides cover for a "critical" code execution -- remote, pre-authentication, network-accessible -- vulnerability in Microsoft’s implementation of the RDP protocol.
However, Kaminsky's scan results show that RDP is "an enormously deployed service, across most networks in the world (21767 of 57344 /16's, at 8.3% coverage)."
"There's a very good chance that your network is exposing some RDP surface. If you have any sort of crisis response policy, and you aren’t completely sure you’re safe from the RDP vulnerability, I advise you to invoke it as soon as possible," Kaminsky added.
His warnings follow a mad scramble among security researchers -- white hat and black hat -- to create reliable exploit code targeting this vulnerability. There are numerous examples of proof-of-concept code that crashes an unpatched Windows machine but none of the public examples show remote code execution.
It’s important to note that the vulnerable code is reachable only if RDP is enabled and a mitigation feature in RDP called NLA (network level authentication) moves it to post-authentication which makes this vulnerability less likely to be wormed. There are instructions here to enable NLA on Windows to reduce the severity of a potential attack.