Cybersecurity

Microsoft says it's all patched up

Shutterstock image. Copyright Sergey Nivens.  

Microsoft's "Patch Tuesday" is a cybersecurity ritual, but the company faced a potential off-day crisis when the Shadow Brokers chose Good Friday to release a trove of exploits of Microsoft products.

The latest Shadow Brokers release, "Lost in Translation," included a folder full of Windows exploits that cybersecurity experts initially characterized as the most devastating release of National Security Agency tools to date. @hackerfantastic referred to it on Twitter as a "Microsoft Apocalypse."

Microsoft, however, said that the potential damage had already been contained.

"Our engineers have investigated the disclosed exploits, and most of the exploits are already patched," the company said in a blog post.

"Of the three remaining exploits, 'EnglishmanDentist', 'EsteemAudit', and 'ExplodingCan', none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk," Microsoft stated. "Customers still running prior versions of these products are encouraged to upgrade to a supported offering."

Microsoft told the Intercept and other outlets on April 14 that, "at this time, other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers."

However, that statement does not preclude the possibility that Microsoft could have received a more general warning about exploits that did not specifically reference the Shadow Brokers. Microsoft declined to address any further questions from FCW on the subject.

A former senior intelligence official who spoke to FCW on condition of anonymity said that, hypothetically, something like the August 2016 announcement by the Shadow Brokers that they were in possession of stolen NSA tools would have triggered internal discussions about whether private vendors should be warned about vulnerabilities and potential exploits.

The former official stated that it is government policy not to confirm whether the stolen data belonged to the NSA, and he could not confirm or deny whether any outreach has taken place to warn vendors of vulnerabilities.

However, the source added that if a vendor had already patched a vulnerability, then the government's Vulnerabilities Equities Process would not require disclosure.

That means that while those who had updated their systems would be immune from an exploit, that tool could still be used by the government or anyone else against unpatched devices -- so the tools would still be of value. As has been the case with previous Shadow Brokers releases, the exploits and tools they claim to have stolen from the NSA are several years old, and in the case of the Microsoft exploits, they appear to have been rendered harmless by patches and updates over the years.

But as the former official said, government agencies and individuals have a poor track record of patching and updating, so while Microsoft might have done its part to inoculate against the Shadow Brokers' leak, there is no way to know how many devices remain vulnerable.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected