Microsoft says it already patched ‘Shadow Brokers’ NSA leaks
Yesterday, the mysterious “Shadow Brokers” posted some hacking tools for Windows that were allegedly stolen from the NSA. All of them were at least a few years old, but exploited flaws in several versions of the operating system to move across networks and infect systems. early Saturday morning, Microsoft has responded with a blog post, saying it has evaluated all of the exploits listed. Its response to the release is surprisingly simple: most of them have already been fixed.
In a statement to Reuters yesterday, Microsoft said that “Other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers,” but that may not be the entire truth. For three of the exploits, Microsoft says they don’t affect supported platforms (read: any operating system recent enough that it’s still receiving security updates. If you’re still using them then you need to upgrade to Windows 7 or newer). For the other seven, the company says all of them are addressed by updates and patches (notably, the patches reveal these exploits impacted Windows 10 and Windows Server 2016 also).
What’s particularly curious is that four of the exploits — EternalBlue, EternalChampion, EternalRomance and EternalSynergy — were fixed in an update just last month, on March 14th. Because “The Shadow Brokers” listed what tools they had in January, it seemed like the NSA had to know this release could happen. Despite a long list of acknowledgments for security issues discovered and fixed in the March 2017 update, as @thegrugq points out, there’s no name listed for the MS17-010 patch that fixed these.
So it’s unclear how that happened, but the timeline looks like this: January reveal –> February Microsoft skips its usual “Patch Tuesday” security update –> March Microsoft spontaneously fixes several flaws that no one knew existed for several years prior. Clearly, someone said something. Security researcher Mustafa Al-Bassam has a possible explanation, musing that Microsoft paid up and quietly bought the exploits, while Zerodium CEO (and purchaser of vulnerabilities) Chaouki Bekrar also suggests the Shadow Brokers gave Microsoft the info.
Source: MS17-010, Microsoft TechNet Blog