Microsoft Claims To Have Patched Shadow Brokers-Exposed Windows Flaws
Microsoft indicated that it has already patched Windows flaws exposed by newly leaked hacking tools, a problem that came to light on Friday.
The hacking tools are said to be U.S. National Security Agency (NSA) espionage tools, mostly affecting older Windows versions. They were leaked at the GitHub repository on Friday afternoon by "The Shadow Brokers," a covert group that previously auctioned off such tools in past leaks over the last year. This time, however, the group posted the password to access the tools, which means that they are generally accessible.
On late Friday night, Microsoft released a statement, claiming that the exposed Windows flaws were fixed by updates it has released for its supported products.
"We've investigated and confirmed that the exploits disclosed by the Shadow Brokers have already been addressed by previous updates to our supported products," a Microsoft spokesperson stated via e-mail. "Customers with up-to-date software are already protected. Our blog has more details."
Microsoft's blog post implied that three of the 12 purported NSA tools that were leaked still represent effective attack venues for Microsoft's unsupported Windows products. Organizations are protected only if they have applied Microsoft's most recent patches, including the March security updates, and only if they are using Windows products still covered under Microsoft's lifecycle support policies.
Here's how Microsoft explained it in the announcement:
Of the three remaining exploits, "EnglishmanDentist", "EsteemAudit", and "ExplodingCan", none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.
Microsoft typically won't issue security patches for its "unsupported" Windows products, which include Windows XP, Windows Vista, Windows 2000 and Windows 2008. Those products are still targets.
The purported NSA attack tools are said to date from 2013, but Microsoft fixed one of the holes just last month with MS17-010, which is a "Critical" fix for a Server Message Block 1.0 flaw.
Because of that timing, and Microsoft's February security patch delay, it's speculated that Microsoft was tipped off in advance about the release of the hacking tools, and that the February delay was associated with such a tip. Microsoft hasn't said as much, though.
The SMB 1.0 flaw that got patched in March was actually known in January, according to Matt Suiche, a Microsoft Most Valuable Professional who wrote about The Shadow Brokers tools.
The exact timing of when software companies get apprised of vulnerabilities is an important concern because of what it says about the effectiveness of the U.S. Vulnerability Equities Process (VEP). The VEP is a process for the disclosure of zero-day software flaws that are known by the U.S. government and its clandestine agencies. VEP may have been formulated at the policy level as late as 2008, but it only became public in 2016, according to a review published by the Electronic Frontier Foundation, a U.S.-based electronic privacy and civil liberties advocacy group. Supposedly, in 2013, the VEP sided more with disclosure of software flaws, except in cases of national security.
"In December 2013, the President’s Review Group on Intelligence and Communications Technologies released a report that concluded that the government should not continue to exploit zero-days but instead should disclose all vulnerabilities, except where there is a clear national security need to retain the exploit," the Electronic Frontier Foundation's document explained.
Since Microsoft fixed one of the flaws only last month, it's possible that The Shadow Brokers tools may represent NSA tools deemed useful for national security purposes. If so, it implies that the U.S. government could have withheld the information from Microsoft. It also implies that the VEP approach has largely been a meaningless promise for organizations concerned with protecting their computing environments.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.