
Microsoft fixed security gaps allegedly used by spies a month before they leaked - anjalik
https://qz.com/960501/microsoft-msft-mysteriously-managed-to-fix-nsa-targeted-security-gaps-revealed-in-shadow-brokers-leak/
======
jo_
Perhaps they were fixed as part of unrelated bug fixes? That would explain why
they didn't credit anyone as having reported them. Something like, "Fixed bad
return value leak," or "refactoring old method" could break the exploits.

------
code_duck
Perhaps someone had noted intrusions using these methods and reported it to
microsoft, but don't want to publically report that they had a security
incident.

------
partycoder
Just try not to be naive when trying to understand espionage and
counterespionage. A clever strategy is to give the adversary what they want,
while profiting from it. Let them have the feeling they're winning while
they're actually losing.

0 days may be real and the exploits may be real too. But maybe the higher
objective was to make people believe that the NSA operates regularly through 0
days, that there's no preferential disclosure of bugs between them and
Microsoft, and that they do not rely on RNG/crypto/hardware/software tricks or
backdoors. We will never have the means to truly know if any of that is the
case.

So while the leak might be real, it could be still be fake in the sense that
is not representative of reality in terms of how they operate.

Then, you do not fully know if running the exploits come with unexpected side
effects put there by the authors.

I am very skeptical of high profile leaks with full media coverage such as
this one, as well as Assange, Snowden, etc. Maybe the information is true but
cherry-picked, and potentially mixed with false information.

Do not underestimate people that make a living dealing with classified
information and asymmetric information.

------
jplayer01
I assume because the NSA told them when it was clear these were going to be
leaked.

~~~
nimih
Or maybe the exploits were leaked once the exploits lost a lot of their value
due to MS fixing the bug(s).

------
drzaiusapelord
The NSA knew they were burned and these exploits would be used against
American interests shortly. I imagine they sent them to MS. Note these
particular fixes have no source, which while not uncommon, is very telling
considering its multiple items with no credit.

They're also very nasty for sysadmins. smb exploits giving SYSTEM level access
on servers and domain hacks are pretty much worse case scenarios. I pity any
shop who hasn't updated yet. The attacks are weaponized and are in the wild
right now packed into trojans, ransomware, crimepacks, etc.

~~~
hashhar
No sysadmin should be using SMBv1 in the first place though.

I agree completely with your first paragraph though and it seems like a likely
situation.

~~~
drzaiusapelord
Sysadmins don't make business decisions. Management says 'support this legacy
crap' and smb1 stays.

~~~
hashhar
It's a chicken and egg problem too. As the comment above referring to Apple
having issues with SMBv2 and v3, they can't do anything but use SMBv1.

It's sad really.

------
captainmuon
One explanation is that someone tried to use the exploits in a less than
inconspicuous way, which resulted in a crash, and then Microsoft's crash
reporting picked it up. I read somewhere they specifically look for
exploitable crashes (e.g. buffer overflows) in the long tail of rare crashes
and try to fix them. But I'm just speculating of course.

------
willstrafach
The codenames / coverterms were in ShadowBrokers screenshots back in January.
It would be very strange if at least one person at NSA had not seen this and
reported beforehand to Microsoft (with or without agency knowing).

------
finid
Likely because the gaps were coded in at the request of said spies.

