Late last week, a hacker group known as The Shadow Brokers released a trove of Windows exploits it claims to have obtained from National Security Agency's (NSA's) elite hacking team. The group released the tools and presentations and files claiming to detail the agency's methods of carrying out clandestine surveillance on Windows server software dating back to Windows XP and set off a mild panic for what was otherwise a slow Friday.
There’s just one problem: Microsoft says it has already issued patches for the majority of exploits, with some of them coming out as recently last month. The MSRC team made a blog post on Friday, the same day Shadow Brokers released the exploits, pointing this out. It was a remarkably quick response.
"Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products," wrote Phillip Misner, principal security group manager for the Microsoft Security Response Center.
Code Name |
Solution |
“EternalBlue” |
Addressed by MS17-010 |
“EmeraldThread” |
Addressed by MS10-061 |
“EternalChampion” |
Addressed by CVE-2017-0146 & CVE-2017-0147 |
“ErraticGopher” |
Addressed prior to the release of Windows Vista |
“EsikmoRoll” |
Addressed by MS14-068 |
“EternalRomance” |
Addressed by MS17-010 |
“EducatedScholar” |
Addressed by MS09-050 |
“EternalSynergy” |
Addressed by MS17-010 |
“EclipsedWing” |
Addressed by MS08-067 |
The exploits, all with peculiar names that start with the letter E, allowed a hacker to compromise affected computers and affected a variety of Windows versions. One of the exploits dated back to Windows Vista, but was addressed before Vista was even released.
Microsoft said three of the exploits -- ENGLISHMANDENTIST, ESTEEMAUDIT, and EXPLODINGCAN -- could not be reproduced on supported systems, which means anyone using Windows 7 or above is not at risk. Of course, customers still running those older operating systems are encouraged to upgrade to a supported operating system, Microsoft said in the blog post.
Some of these vulnerabilities are incredibly old. ExplodingCan creates a remote backdoor by exploiting older versions of Microsoft’s Internet Information Services Web server on older versions of Windows Server. EternalSynergy is a remote SMB exploit for Windows 8 and Server 2012. And EternalRomance is a remote SMB1 exploit targeting Windows XP, Vista, 7 and 8, plus Windows Server 2003, 2008 and 2008 R2.
Some researchers caused a panic by stating these exploits were zero-days, meaning they were vulnerabilities Microsoft was not aware of. Apparently, they didn’t bother to test against a recently patched system.