The NSA Effect: How Microsoft Patched Most of the Exploits Right Before Shadow Brokers Dump
Shadow Brokers took the cybersecurity industry by storm on Friday by releasing a trove of hacking tools for Windows that were allegedly stolen from the National Security Agency. "This is not a drill", Edward Snowden, NSA whistleblower, warned following the public dump of these exploits. The released documents indicated that the NSA had access to the SWIFT interbank messaging system, which allowed the agency to monitor the money flows among the Middle Eastern and Latin American banks. The Shadow Brokers also dumped several programs for attacking different versions of Windows.
Security researchers noted that while all of them appeared to be at least a few years old, Windows users who are not on the latest version could be vulnerable to attacks. Over the weekend, Microsoft released a statement refuting these claims, suggesting that everyone should be safe from these exploits - well, except for those who haven't installed the latest security updates.
Microsoft says Shadow Brokers exploits are patched - doesn't share how
In a blog post, Microsoft responded to the Shadow Brokers NSA exploits release saying that it has evaluated all of the exploits listed. "Most of the exploits are already patched", the company nonchalantly noted. With the lists and details shared by the Redmond software giant, it appears that the company either bought the exploits directly from Shadow Brokers ahead of the public release or NSA gave the company a heads-up - Microsoft isn't sharing what exactly happened, though.
Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.
When a potential vulnerability is reported to Microsoft, either from an internal or external source, the Microsoft Security Response Center (MSRC) kicks off an immediate and thorough investigation. We work to swiftly validate the claim and make sure legitimate, unresolved vulnerabilities that put customers at risk are fixed. Once validated, engineering teams prioritize fixing the reported issue as soon as possible, taking into consideration the time to fix it across any impacted product or service, as well as versions, the potential threat to customers, and the likelihood of exploitation.
Microsoft added that "most of the exploits" are already patched. These include (we have added the dates they were addressed on):
|"EternalBlue”||Addressed by MS17-010||Patched on March 14|
|“EmeraldThread”||Addressed by MS10-061||Patched on September 14, 2010|
|“EternalChampion”||Addressed by CVE-2017-0146 & CVE-2017-0147||Patched: March 14, 2017|
|“ErraticGopher”||Addressed prior to the release of Windows Vista|
|“EsikmoRoll”||Addressed by MS14-068||Patched on November 18, 2014|
|“EternalRomance”||Addressed by MS17-010||Patched on March 14, 2017|
|“EducatedScholar”||Addressed by MS09-050||Addressed on October 13, 2009|
|“EternalSynergy”||Addressed by MS17-010||Patched: March 14, 2017|
|“EclipsedWing”||Addressed by MS08-067||Patched: October 23, 2008|
The three exploits that the company didn't say were patched include EnglishmanDentist, EsteemAudit, and ExplodingCan. "None reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk", Microsoft wrote. "Customers still running prior versions of these products are encouraged to upgrade to a supported offering".
Did NSA help Microsoft in fixing these exploits? Redmond says no
In the first list of exploits that Microsoft has said are all patched up include several that were only fixed last month. Remember the February Patch Tuesday delay that was possibly the first time ever Microsoft didn't send security updates? It looks like the company was working to fix these damning exploits trying to release fixes for them all together.
The question that will now trouble many in the security industry - regardless of Microsoft having potentially avoided a massive security disaster - is how the company knew about these exploits right before their public disclosure? Did the company buy the access from Shadow Brokers directly or did the NSA tip off Microsoft? Microsoft couldn't have just happened to patch these years-old exploits right before hackers decided to expose them.
If the company is really that connected to the NSA, did it know about these exploits all along but chose to go along with the intelligence agency. Since the Windows 10 launch, some users and privacy advocates have shared concerns about the company sending telemetry data to the US intelligence agencies. While the Redmond software maker has become better at talking about Windows 10 privacy controls and what data it exactly has access to, the latest Shadow Brokers dump taints the company image once again.
Microsoft isn't admitting to any of this. In a statement to Reuters, the company spokesperson said, "Other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers".
There is also a strong possibility that Microsoft itself bought access to these exploits after Shadow Brokers listed these tools back in January - and no one believed them. Microsoft hasn't acknowledged anyone for these security issues that were fixed in the March Patch Tuesday releases, either. "We may not list an acknowledgment for reasons including reports from employees, requests for non-attribution, or if the finder doesn't follow coordinated vulnerability disclosure", the company said in response.
While the curious cats try to find answers and we hopelessly wait for Microsoft to respond to these concerns, users just have to make sure their computers are up-to-date to stay secure.
When asked for a comment, Microsoft said in an email to Wccftech that at the moment the company has only to share what has been mentioned in this blog, already referenced above.