Microsoft has patched most of the new Windows exploits from the Shadow Brokers thought to be zero-days, but experts say there are still risks in the w
Microsoft has patched most of the new Windows exploits from the Shadow Brokers thought to be zero-days, but experts say there are still risks in the wild.
The Shadow Brokers gave the infosec world the gift of more NSA hacking tools and techniques for Easter weekend, and although experts tend to see the SWIFT banking attack information as more dangerous, there were also several Windows exploits released in the data dump.
The Microsoft Security Response Center said in a blog post that Microsoft “engineers have investigated the disclosed exploits, and most of the exploits are already patched.” Microsoft listed 12 Windows exploits found in the latest Shadow Brokers release and said nine of them were patched between 2008 and the March 2017 Patch Tuesday release.
“Of the three remaining exploits, ‘EnglishmanDentist’, ‘EsteemAudit’, and ‘ExplodingCan’, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk,” Microsoft wrote in the blog post. “Customers still running prior versions of these products are encouraged to upgrade to a supported offering.”
Kevin Beaumont, a security architect based in Liverpool, detailed 13 Windows exploits — the one extra exploit not listed by Microsoft called “Zippybeer” was an authenticated Microsoft Domain Controller exploit, which Beaumont said may have been patched in 2014.
Of the 12 Windows exploits listed by both Microsoft and Beaumont, nine of the NSA cyberweapons released targeted the Server Message Block (SMB) v1 protocol with the other exploits targeting Microsoft IIS 6, Windows Remote Desktop Protocol and Outlook Web Access. Beaumont’s analysis also diverged from Microsoft in that he tested some of the tools and found they worked on Windows 8 and Windows Server 2008, two versions of Windows that are still eligible for extended support from Microsoft.
Experts said the risk to enterprise of these Windows exploits should not be underestimated because the use of legacy unsupported systems is still common.
“Organizations frequently have end-of-life or unsupported systems with older protocol versions and that is the concern here,” Amol Sarwate, director of engineering at Qualys, Inc., told SearchSecurity. “As there are no security patches released for unsupported systems, organization are greatly exposed if they have unsupported software with a public exploit like this.”
Tom Kellermann, CEO of Strategic Cyber Ventures, said these vulnerabilities can be especially dangerous for systems that maintain critical infrastructure because they often use legacy versions of Windows.
“Transportation, energy and some financial sector wire transfer systems are exploitable as a result,” Kellermann told SearchSecurity. “The real issue here is that Shadow Brokers released these cyber guns to the streets of American cyberspace to create a free-fire zone. Shadow Brokers basically gave bullets to the masses of cyber criminals — it’s almost like someone handing out guns in an armory where there are not enough bullet proof vests to go around.”
Shadow Brokers release timing
Chris Wysopal, CTO and co-founder of Veracode, said the timing of the release “was well designed.”
“Some of the exploits are for Windows Vista which was just end-of-lifed on Tuesday [last] week. This means they may never get patches for the vulnerabilities,” Wysopal told SearchSecurity. “Also the release is on Good Friday and Easter weekend so many people are already travelling to visit family and not at their computers. This will increase lag time on getting any patches out.”
However, some questioned the timing of the release of these Windows exploits because of Microsoft’s release of three patches related to these tools in March. Some saw this timing as pure coincidence while others speculated about the aims of the Shadow Brokers, when Microsoft found out about these vulnerabilities and who disclosed them.
— Edward Snowden (@Snowden)
April 15, 2017
A Microsoft spokesperson said in a statement that the company does not acknowledge the source of a disclosure “for reasons including reports from employees, requests for non-attribution, or if the finder doesn’t follow coordinated vulnerability disclosure.” Microsoft also added that in this case, “other than reporters, no individual or organization has contacted us in relation to the materials released by the Shadow Brokers.”