Somewhat… depending on the severity, organizations can be fairly good or rather poor at enforcing patch management. Of course, we can use Shodan to give us a better idea. Do you remember the ShadowBrokers, and their infamous ‘EternalBlue’ exploit? Nearly three years have passed since Microsoft pushed out a patch for that vulnerability, and you would think that by now, it would be a non-issue, especially for externally exposed SMB services. Using the search string ‘vuln:ms17-010’ we can see that there are currently over 14,000 vulnerable services, with just over 1,000 being in the United States.
Figure 1. EternalBlue Query
So not a lot, but still too many for something so dated. What about something more recent like the BlueKeep vulnerability? Shodan shows that a ridiculous 341,654 services are vulnerable with over 41,000 in the United States alone.
Figure 2. BlueKeep Query
Both of these queries point to a failure in patch management. While it is true that many of these could be various honeypots for research, it is still likely that many are legitimate findings. For the last example, we will further explore this and look at variants of Windows 2008, which have surpassed their end-of-life date in January of this year. Over a million exposed services are running on the outdated operating system. While currently there is not a known vulnerability on this operating system that is not patched, it is only a matter of time.
Figure 3. Windows Server 2008 Query