Microsoft's Timely Response to Shadow Brokers Threat Raises Questions
Apr 18, 2017 9:58 AM PT
Just as the Shadow Brokers hacker group started crowing about a dump of never-seen-before flaws in Windows, Microsoft announced it already had fixed most of the exploits.
"Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers," Microsoft Principal Security Group Manager Phillip Misner wrote in a Friday post.
"Our engineers have investigated the disclosed exploits, and most of the exploits are already patched," he added.
Three of the dozen zero day vulnerabilities aired by the hackers, which they claimed were part of a large cache of data leaked from the U.S. National Security Agency, did not work at all on Windows 7 and above.
"Customers still running prior versions of these products are encouraged to upgrade to a supported offering," Misner recommended.
As of the most recent patch cycle, no supported versions of Windows were vulnerable to the Shadow Brokers exploits, said Bobby Kuzma, a system engineer at Core Security.
"In other words," he told TechNewsWorld, "for the love of God get XP, Vista and 2003 Server off of your networks."
Microsoft's decision not to patch vulnerabilities affecting older versions of Windows that no longer are supported is understandable, but it doesn't make the situation less worrisome, said James Scott, a senior fellow at the Institute for Critical Infrastructure Technology.
Many systems used in homes, businesses and critical infrastructure run on versions of Microsoft's operating system prior to Windows 7.
"Microsoft's decision to knowingly put these systems at further risk, for any amount of time -- even the hours or days necessary for resource allocation and modernization -- is irresponsible," Scott told TechNewsWorld.
"Every business, individual and critical infrastructure operating an OS that precedes Windows 7 remains at risk of compromise and exploitation," he said.
What's more, "the disclosure has drastically increased this risk by making knowledge of the vulnerability and attack vector publicly available to unsophisticated script kiddies, cybercriminals, cybermercenaries, hail mary threat actors, cyberterrorists and nation-state APTs," Scott added.
Microsoft's release of patches and disclosure of vulnerabilities is a good thing, but enterprises need to take the process to the next step, cautioned Leo Taddeo, chief security officer at Cryptzone and a former FBI special agent.
"According to the 2016 Verizon Data Breach Investigations Report, most successful attacks exploit known vulnerabilities that have never been patched, despite patches being available for months or even years," he told TechNewsWorld.
"So, while it's important that Microsoft publicly disclosed the vulnerabilities and issued a patch," Taddeo continued, "the challenge for enterprises is to update their infrastructure with the latest supported version of the affected products."
The same is true for consumers.
"Microsoft did the right thing by patching Windows as quickly as possible and getting the patches to people," said Jack E. Gold, principal analyst at J.Gold Associates.
"Whether they deploy them or not is a different issue," he told TechNewsWorld. "Two-thirds to three-quarters of consumers don't even have up-to-date antivrus programs. If they're not concerned about that, how concerned are they going to be about these patches?"
Questions About Sourcing
Although Microsoft is usually very responsible about crediting sources who made the company aware about vulnerabilities in its products, that wasn't the case with the Shadow Brokers flaws.
That raises a number of possible scenarios, suggested Core Security's Kuzma. Perhaps Microsoft found the vulnerabilities itself -- or it may have purchased them from Shadow Brokers when the outfit put them up for sale on the Dark Web earlier this year. The Shadow Brokers may have pre-leaked the flaws to Microsoft, or perhaps the NSA passed them on to the company.
The timing of Microsoft's action raises some questions, Scott White, director of the cybersecurity program at The George Washington University, told TechNewsWorld.
"Microsoft had a ton of vulnerabilities in Windows, and it just found them a month before we were about to get a zero day attack?" he asked. "Were these patches discovered by Microsoft or was someone assisting Microsoft and letting them know of these vulnerabilities?"
Potential Threat to Everyone
The Shadow Brokers flaws likely will impact businesses more than consumers.
"The danger for consumers is limited as long as they're keeping their security updated," said Mike Cotton, vice president of research and development at Digital Defense.
"Microsoft has gotten good at ensuring that if you're behind a firewall or logging on to public WiFi, the network services that these exploits target are not exposed under most configurations," he told TechNewsWorld.
"Most of the risks are on business networks because the way they're configured those network services are exposed to these exploits, Cotton added.
As for the Shadow Brokers, their bark may be worse than their bite.
"They're an irritant more than an absolute threat to our national security compared to the Russians or Chinese -- but it doesn't make them any less criminal. They may be small fish in the pond, but they're still fish," GW's White said.
"The threat from this group derives from the fact they have some kind of source that is able to get them weaponized tools from the NSA," Cotton added.
"The NSA is a tier-one cyberpower -- maybe the preeminent cyberpower in the world," he explained, "so if there's an inside source leaking tools to Shadow Brokers, the distribution of those tools poses a large threat to everyone."