Microsoft says it's all patched up

The latest Shadow Brokers release of alleged NSA hacking tools included a trove of Microsoft exploits, but the software giant says it has now patched all of the vulnerabilities in the leaked code.

Shutterstock image. Copyright Sergey Nivens.
 

Microsoft's "Patch Tuesday" is a cybersecurity ritual, but the company faced a potential off-day crisis when the Shadow Brokers chose Good Friday to release a trove of exploits of Microsoft products.

The latest Shadow Brokers release, "Lost in Translation," included a folder full of Windows exploits that cybersecurity experts initially characterized as the most devastating release of National Security Agency tools to date. @hackerfantastic referred to it on Twitter as a "Microsoft Apocalypse."

Microsoft, however, said that the potential damage had already been contained.

"Our engineers have investigated the disclosed exploits, and most of the exploits are already patched," the company said in a blog post.

"Of the three remaining exploits, 'EnglishmanDentist', 'EsteemAudit', and 'ExplodingCan', none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk," Microsoft stated. "Customers still running prior versions of these products are encouraged to upgrade to a supported offering."

Microsoft told the Intercept and other outlets on April 14 that, "at this time, other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers."

However, that statement does not preclude the possibility that Microsoft could have received a more general warning about exploits that did not specifically reference the Shadow Brokers. Microsoft declined to address any further questions from FCW on the subject.

A former senior intelligence official who spoke to FCW on condition of anonymity said that, hypothetically, something like the August 2016 announcement by the Shadow Brokers that they were in possession of stolen NSA tools would have triggered internal discussions about whether private vendors should be warned about vulnerabilities and potential exploits.

The former official stated that it is government policy not to confirm whether the stolen data belonged to the NSA, and he could not confirm or deny whether any outreach has taken place to warn vendors of vulnerabilities.

However, the source added that if a vendor had already patched a vulnerability, then the government's Vulnerabilities Equities Process would not require disclosure.

That means that while those who had updated their systems would be immune from an exploit, that tool could still be used by the government or anyone else against unpatched devices -- so the tools would still be of value. As has been the case with previous Shadow Brokers releases, the exploits and tools they claim to have stolen from the NSA are several years old, and in the case of the Microsoft exploits, they appear to have been rendered harmless by patches and updates over the years.

But as the former official said, government agencies and individuals have a poor track record of patching and updating, so while Microsoft might have done its part to inoculate against the Shadow Brokers' leak, there is no way to know how many devices remain vulnerable.