The latest release of exploits and vulnerabilities from the Shadow Brokers came as a surprise to many observers, but not to the security team at Microsoft. It turns out that the company already has patched most of the flaws in its products that were exposed in last week’s exploit dump.
The Shadow Brokers have published several separate sets of vulnerabilities, exploits, and tools that are believed to be connected to the NSA. The most recent cache, published last week, includes information on several previously undisclosed vulnerabilities in Microsoft products, specifically in the company’s SMB server. There are several critical remote code execution flaws in the server, which is a key part of Microsoft’s networking system, detailed in the new information release.
Microsoft officials said on Friday that the company already had patched many of the vulnerabilities disclosed in the Shadow Brokers release, and the ones that hadn’t been fixed yet don’t affect currently supported products.
“Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Of the three remaining exploits, ‘EnglishmanDentist’, ‘EsteemAudit’, and ‘ExplodingCan’, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering,” Phillip Misner, principal security group manager at Microsoft, said.
The Shadow Brokers is an anonymous group that has been releasing exploits, tools, and vulnerabilities that experts believe are part of toolsets used by the NSA in recent years. The dumps have come at irregular intervals for the last few months, following an unsuccessful attempt by the group to sell access to the full cache. Although the group published its latest batch of information just last week, the update that Microsoft used to patch the SMB vulnerabilities and others in the cache was issued in March. This suggests that Microsoft had advance warning of the information release.
Some of the other vulnerabilities were patched several years ago, including one as far back as 2008. That vulnerability, which affects many older versions of Windows, likely was a highly valuable one before it was reported to Microsoft.
“The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit,” the bulletin for the bug from 2008 says.
In its bulletin for the MS17-010 SMB flaws, Microsoft doesn’t provide any details on who disclosed the vulnerabilities to the company or when. The advisory simply acknowledges “those in the security community who help us protect customers through coordinated vulnerability disclosure.”