Patch Telnet? LOL. Disable Telnet!

With the release of MS15–002 on January 13th, the unfortunate tradition of rote guidance to patch—rather than to mitigate risk—continued.

While it's still a struggle to get organizations to take patch management seriously, the "fix the symptom, not the cause" approach to information security once again reared its ugly head.

Sure, patch your systems for all applicable updates that you're sure won't blow up your environment. That's good. What's better, however, is that you've built an environment where you're not patching antiquated services for critical vulnerabilities to even need to worry.

It's of course possible any other number of protocols that are still sane to use could have issues and patching is likely one of the only mitigations, but when a service like Telnet needs to be patched we've already lost the war.

Considering the limited exposure of default installations for modern versions of Windows, it's more terrifying just how many Twitter posts I was seeing advising patching Telnet immediately as if this was normal to need to worry about.

"By default, Telnet is installed but not enabled on Windows Server 2003. By default, Telnet is not installed on Windows Vista and later operating systems."

...and rightfully so! While other remote access services have vulnerabilities too, the benefit of any of those services and their general security and function are worth the occasional patch. In contrast, having Telnet as a service in the first place already exposes your organization to potential harm strictly from the protocol point of view, well before any remote code execution issues that may pop-up.

tl;dr vulnerabilities are going to happen, and you should patch for them, but each time a critical issue occurs it's worth rethinking the benefits that you're getting out of the impacted software and re-evaluate if it's time to move on to a better solution.

Telnet's life is long over and if this vulnerability actually threatened your security, I'd contend you already have a lot to worry about and it's not just patch management.