
Shadow Brokers exploits are patched or inactive on supported Windows platforms - alpb
https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/
======
hexadecimated
Nice to see that these weren't zero day exploits after all, despite the claims
being spread over Twitter.

Looks like some amateur security researchers forgot to patch their test VMs.

~~~
celticninja
Do you have a source for that? Looks like MS have released a number of patches
for these exploits and so have other software vendors so I'm not sure what
your claim is based on.

~~~
hexadecimated
The exploits were released yesterday and the linked article says they have all
been patched.

------
pinpeliponni
I noticed Microsoft has been very careful not to mention NSA.

~~~
stordoff
Why would they? The immediate concern is whether or not the exploits are still
a risk, not determining the origin. Any future use of them is likely to be
groups other than NSA at this point anyway.

If/when Microsoft do call out the NSA, I imagine it'll a) be filtered through
their press/PR teams and b) be after they've had time to verify the source (it
seem overwhelmingly likely to be NSA-originated, but I'd guess MS will do
their own investigation and not just take it at face value).

~~~
toyg
MS will never "call out" anybody, in particular nobody in the US government -
one of the few entities on the planet who can make Redmond lives materially
harder. MS and authorities have a long history of peaceful collaboration and
there is no reason to believe this state of things will change anytime soon.

------
nthcolumn
So NSA knew 90 days ago and gave MS the heads up. They patched hurriedly eg.
14th March for EternalBlue - but didn't say anything to their customers
re:patches must go ASAP (many large corporations have to phase them - i.e not
at all at once on First Tuesday) so many companies are currently still
vulnerable and probably won't hit them until next Tuesday after the Bank
Holiday. What a mess.

~~~
fulafel
Corporations don't have to delay critical security patches, they just elect to
do so based on some motives that compete with security.

~~~
archvile
"Some motive" I think would equate to fear of breaking mission critical or
legacy applications. In a high-stakes environment, I'd imagine functionality
would win out initially over security, until everything has time to be tested
properly.

------
1ris
I just don't believe shadowbrokers just burned all their 0days. I assume they
only release the cheapest exploits and either sell or keep the rest. E.g.
russia now has several NSA exploits.

~~~
amq
Those '0days' are not worth much after they were patched by MS in March.

------
noja
in other words "Not all"

~~~
pluma
> Of the three remaining exploits [...] none reproduces on supported
> platforms, which means that customers running Windows 7 and more recent
> versions of Windows or Exchange 2010 and newer versions of Exchange are not
> at risk.

So none of the exploits should be a problem if you're on somewhat recent
versions of Windows and Exchange (as applicable). If you're still on Windows
Vista, XP, 2000 or NT, you likely have bigger problems already.

~~~
21
> somewhat recent versions of Windows

Windows 7 was released in 2009, eight years ago. I wouldn't call that
"somewhat recent"

~~~
pluma
I see you haven't worked in the public sector or non-tech enterprises.

------
justinjlynn
> Customers still running prior versions of these products are encouraged to
> upgrade to a supported offering.

That's a very polite way to say "fuck you, pay me".

~~~
stordoff
Windows 7 released in 2009, and MS will keep issuing security patches until
2020. They also responded to this on Friday/Saturday of Easter weekend.

There's not a whole lot you can blame MS for here, except for the bugs
existing in the first place (which is all but inevitable given the size of the
codebase and the amount of scrutiny under which various groups put it).

~~~
Markoff
the problem is not really Windows, but hardware abandoned by manufacturers, my
mother has perfectly good/sufficient computer for her needs running Win7,
which can't be upgraded any further (wanted to upgrade from Vista to W10 or
W8, to find the most recent I can get is W7) because of video drivers not
supported anymore and there is not really workaround, so it would require
buying new video card, which in the end means I might as well just buy for her
new Android tablet an get rid off PC or might as well, just install there
Linux in the end

~~~
dsp1234
_because of video drivers not supported anymore and there is not really
workaround, so it would require buying new video card_

A cheap 1GB video card can be had for $25.[0][1] And it is currently supported
for the Windows 10 platform.[2]

Which is not to say that Linux and/or an Android tablet wouldn't be the best
solution, just that the purchase and installation of a new video card is maybe
not as expensive as would seem.

[0] -
[https://www.newegg.com/Product/Product.aspx?Item=N82E1681413...](https://www.newegg.com/Product/Product.aspx?Item=N82E16814130880)

[1] -
[https://www.newegg.com/Product/ProductList.aspx?Submit=ENE&N...](https://www.newegg.com/Product/ProductList.aspx?Submit=ENE&N=100007709%204093&IsNodeId=1)

[2] -
[http://www.nvidia.com/download/driverResults.aspx/112596/en-...](http://www.nvidia.com/download/driverResults.aspx/112596/en-
us)

~~~
Markoff
i am aware it's not so expensive, but compared to current value of computer is
also not negligible amount anymore, thus i would not mind spending more money
and have something more suitable for her needs, since she doesn't really need
computer, though i would probably first try some up to date Linux distro

------
kikigaki
so they are now patched, shadowbrokers have found plenty of new vulns since
then. loads of linux vulns too, makes up a big part of the internet, which
makes it potentially even more scary.

------
partycoder
One thing is collaborating with law enforcement, another thing is
collaborating on mass surveillance. Microsoft collaborated setting up mass
surveillance (PRISM).

One thing is a bug, another one is a backdoor. Are these good faith bugs or
willful backdoors? Most likely they're bugs, but it is hard to know.

If I was Microsoft and I wanted to willfully plant a backdoor, I would take
precautions to be able to get away with it if caught. Because security
researchers can analyze them, and foreign governments have Windows source
code, leaving intentional bugs as the only choice.

Now, the reasons I am suspicious of Microsoft:

\- PRISM. Which is unequivocally mass surveillance.

\- The Flame malware was able to install itself via Windows Update:
[http://www.computerworld.com/article/2503916/malware-
vulnera...](http://www.computerworld.com/article/2503916/malware-
vulnerabilities/researchers-reveal-how-flame-fakes-windows-update.html) . The
means by which the Flame authors achieved this are easier to explain if they
received help from Microsoft.

\- When Windows NT SP5 was released, the build accidentally came with
debugging symbols (i.e: variable names were visible in binaries). A researcher
found a variable called "_NSAKEY" containing a key which could be used to
forge signatures.
[https://en.wikipedia.org/wiki/NSAKEY](https://en.wikipedia.org/wiki/NSAKEY).
Microsoft's explanation was that it wasn't related to the NSA, and that NSA in
that context meant something else.

~~~
hexadecimated
This idea that Microsoft is deliberately introducing bugs into its software so
nation states can exploit them is so absurd, it really is tinfoil hat
conspiracy theory ludicrousness.

~~~
kuschku
It doesn't have to be known by Microsoft management.

It's enough if the NSA has people working at MS on their payroll.

~~~
hexadecimated
That's just an insinuation of conspiracy with no evidence whatsoever behind
it. The more believable alternative is that developers simply make mistakes
now and then.

~~~
MichaelGG
But having state sponsored employees is so obvious, effective, and cost
efficient it seems odd to assume it's not being done. The US found a bunch of
Russian spies a while back.

But true, it's not right to assume any particular vuln is from spies.

~~~
kuschku
Correct. But you have to assume the spies have vulns in there, either
intentionally added, or, if they found vulns, they simply reported them to
their agency, instead of their employer.

