Cybersecurity

Microsoft says it's all patched up

Shutterstock image. Copyright Sergey Nivens.  

Microsoft's "Patch Tuesday" is a cybersecurity ritual, but the company faced a potential off-day crisis when the Shadow Brokers chose Good Friday to release a trove of exploits of Microsoft products.

The latest Shadow Brokers release, "Lost in Translation," included a folder full of Windows exploits that cybersecurity experts initially characterized as the most devastating release of National Security Agency tools to date. @hackerfantastic referred to it on Twitter as a "Microsoft Apocalypse."

Microsoft, however, said that the potential damage had already been contained.

"Our engineers have investigated the disclosed exploits, and most of the exploits are already patched," the company said in a blog post.

"Of the three remaining exploits, 'EnglishmanDentist', 'EsteemAudit', and 'ExplodingCan', none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk," Microsoft stated. "Customers still running prior versions of these products are encouraged to upgrade to a supported offering."

Microsoft told the Intercept and other outlets on April 14 that, "at this time, other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers."

However, that statement does not preclude the possibility that Microsoft could have received a more general warning about exploits that did not specifically reference the Shadow Brokers. Microsoft declined to address any further questions from FCW on the subject.

A former senior intelligence official who spoke to FCW on condition of anonymity said that, hypothetically, something like the August 2016 announcement by the Shadow Brokers that they were in possession of stolen NSA tools would have triggered internal discussions about whether private vendors should be warned about vulnerabilities and potential exploits.

The former official stated that it is government policy not to confirm whether the stolen data belonged to the NSA, and he could not confirm or deny whether any outreach has taken place to warn vendors of vulnerabilities.

However, the source added that if a vendor had already patched a vulnerability, then the government's Vulnerabilities Equities Process would not require disclosure.

That means that while those who had updated their systems would be immune from an exploit, that tool could still be used by the government or anyone else against unpatched devices -- so the tools would still be of value. As has been the case with previous Shadow Brokers releases, the exploits and tools they claim to have stolen from the NSA are several years old, and in the case of the Microsoft exploits, they appear to have been rendered harmless by patches and updates over the years.

But as the former official said, government agencies and individuals have a poor track record of patching and updating, so while Microsoft might have done its part to inoculate against the Shadow Brokers' leak, there is no way to know how many devices remain vulnerable.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.