• Shadow Brokers and what the leaks mean to Windows users

    I’m a little late to the party on this one.

    As many/most/all of you know, on Friday a group called Shadow Brokers published an enormously damaging trove of code, apparently from the NSA, with all sorts of exploits and hacking tools. Most (if not all) versions of Windows are in the crosshairs.

    Our tax dollars at work.

    To catch up, there’s a series of articles every Windows user should read.

    Dan Goodin, Ars Technica: NSA-leaking Shadow Brokers just dumped its most damaging release yet

    Andy Greenburg, Wired: Major leak suggests NSA was deepn in Middle East banking system

    Philip Misner, Microsoft Security Response Center: Protecting customers and evaluating risk

    Microsoft’s analysis (which is undoubtedly accurate, but will be debated endlessly):

    Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.

    Code Name Solution
    EternalBlue Addressed by MS17-010
    EmeraldThread Addressed by MS10-061
    EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
    “ErraticGopher” Addressed prior to the release of Windows Vista
    EsikmoRoll Addressed by MS14-068
    EternalRomance Addressed by MS17-010
    EducatedScholar Addressed by MS09-050
    EternalSynergy Addressed by MS17-010
    EclipsedWing Addressed by MS08-067

    Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.

    MS17-010, which figures prominently in that table, is the one that fixed the SMBv1 hole in all versions of Windows. This month’s patches don’t figure in any of the discussions. We’re still at MS-DEFCON 1.

    I haven’t seen any evidence that the disclosure is being used by Microsoft to convince folks to move to Windows 10. (I do note, with some nostalgia, that the demise of the Security Bulletin system will make such analysis and communication much more cumbersome in the future.)

    So… the sky isn’t falling. But there are some very gray clouds out there, and a whole bunch of cretins jumping around trying to incorporate the Shadow Brokers code into their products. Those of you who patched through last month’s Patch Tuesday crop are OK, according to Microsoft – and they should know. Windows XP and Vista remain debatable. Those of you in Group W — who aren’t patching at all — should take note.

    Last night, MrBrian started a Lounge thread on the topic. I’ve moved it to the location referenced above. Thanks, MrBrian.