Ensure that all software on all your devices is up to date. Some updates have been released, and more are expected to be released over the coming weeks and months as manufacturers and vendors respond to these vulnerabilities.
In particular, ensure your operating system, anti-virus, and browser are updated. If you have a device which is no longer receiving updates, you should consider upgrading or replacing it, to ensure you can get the latest security updates.
CERT NZ’s advice on End-of-Life Devices
UPDATE: It’s important to check with your anti-virus vendor to see how they are working to mitigate this issue, as Microsoft are requiring anti-virus providers to certify compatibility with security updates. Microsoft have noted: “Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets [a specified registry key]”. Further information can be found on the DoublePulsar site External Link .
For all systems, it’s critical to check with vendors for update guidance. For organisations using Windows Server, CERT NZ recommend that you read Microsoft's guidance External Link and follow the steps provided where applicable.
In order to mitigate these vulnerabilities, it is possible that the performance of some systems may be impacted, however the effects will be dependent on the systems, the patch, the tasks they are used for and their implementation. Where concerns about these impacts arise, CERT NZ recommend referring to the product vendor for advice and practise standard testing and due diligence before deploying patches. Regardless of potential performance impact, the security implications of not patching these vulnerabilities could be severe, and CERT NZ strongly recommends undertaking all appropriate mitigations.
Many vendors have released updates, and others are underway. US CERT is maintaining a list of vendor responses to these vulnerabilities, which can be found at https://www.us-cert.gov/ncas/alerts/TA18-004A External Link .