Last Friday, Microsoft announced that it had already patched most of the exploits released by Shadow Brokers. Here's what that means for your business.
On Friday, hacker group Shadow Brokers released 300 MB of alleged exploits and surveillance tools targeting Windows PCs and servers, along with evidence of hacks on the SWIFT banking system. However, Microsoft said that most of these vulnerabilities were patched by previous updates as recently as March, according to a blog post published late Friday night by Philip Misner, principal security group manager at the Microsoft Security Response Center (MSRC).
The post explained Microsoft's process for dealing with reported vulnerabilities. "We work to swiftly validate the claim and make sure legitimate, unresolved vulnerabilities that put customers at risk are fixed," Misner wrote in the post. "Once validated, engineering teams prioritize fixing the reported issue as soon as possible, taking into consideration the time to fix it across any impacted product or service, as well as versions, the potential threat to customers, and the likelihood of exploitation."
SEE: Securing Windows policy (Tech Pro Research)
In the case of the Shadow Brokers leak, "most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products," Misner wrote, including four that were previously believed to be zero-day attacks. The following exploits were already addressed, via the updates listed in parentheses:
- EternalBlue (MS17-010)
- EmeraldThread (MS10-06)
- EternalChampion (CVE-2017-0146 and CVE-2017-0147)
- ErraticGopher (Addressed prior to the release of Windows Vista)
- EsikmoRoll (MS14-068)
- EternalRomance (MS17-010)
- EducatedScholar (MS09-050)
- EternalSynergy (MS17-010)
- EclipsedWing (MS08-067)
The three remaining exploits—EnglishmanDentist, EsteemAudit, and ExplodingCan—cannot be reproduced on supported Microsoft platforms, Misner wrote. That means that users running Windows 7 and later versions, as well as those using Exchange 2010 and later versions, are not at risk. However, users that are still running older versions of those products should upgrade immediately, the post said.
The question remains: How did Microsoft know which vulnerabilities to patch? Since the release of the blog post, security researchers have been speculating about why Microsoft mitigated these specific attacks a full month before they were published online, Ars Technica reported.
One theory is that an NSA source warned Microsoft about the impending leaks, Ars Technica reported. It's also possible that Microsoft paid Shadow Brokers for the information before its publication. Or, perhaps Microsoft patched the vulnerabilities on its own, without any warning from the NSA, and the Shadow Brokers chose to publish the information anyway to create confusion.
Another sign that Microsoft may have gained prior knowledge of the exploits was its unprecedented delay in releasing its monthly updates in February, for which it did not give a reason, ZDNet reported.
For enterprise Microsoft users, the key takeaway from this situation is to always ensure your machines and software are up to date. It's also important to stay informed on these types of breaches, especially if your business deals with sensitive data.
"We encourage customers to ensure their computers are up-to-date," Misner wrote in the post.
- How to get the Windows 10 Creators Update without the wait (TechRepublic)
- US government pushed tech firms to hand over source code (ZDNet)
- Windows 10's Cortana on Raspberry Pi: Creators Update turns the Pi into voice-controlled assistant (TechRepublic)
- Meet the shadowy tech brokers that deliver your data to the NSA (ZDNet)
- Insider's guide to managing Microsoft Patch Tuesday (Tech Pro Research)