On Friday, the Shadow Brokers hacking group continued its record of leaking NSA hacking tools by detailing a series of flaws in the Windows operating system. The NSA has also been implicated in an alleged breach of the global bank payment transfer system SWIFT.
In response to the critical vulnerabilities found in the NSA files, Microsoft said it was already aware of the issues. In a strangely vague statement published on Friday, the company explained that the majority of the exploits have already been patched.
Microsoft usually acknowledges third-parties who point it towards vulnerabilities in its products. This time around, there is no such disclosure. Microsoft hasn’t specified how it identified the issues and managed to fix them all before the flaws reached the Internet. The circumstances have given rise to a swirl of theories regarding Microsoft’s treatment of the matter.
It is possible that Microsoft was privately contacted by someone within the NSA who was aware that Shadow Brokers was going to leak the exploits. This is not unprecedented as Shadow Brokers has previously given the NSA notice of the vulnerabilities it’ll publicly release. An NSA worker could have assisted Microsoft to mitigate the impact of the disclosure. The company has denied these suggestions.
Alternatively, the Shadow Brokers may have released the exploits already knowing they were patched by Microsoft. By only leaking vulnerabilities with fixes already available, the group could create confusion while offering PC users some protection. Windows machines with automatic updates enabled were guarded against the attacks by the time Shadow Brokers released the files.
Without any explanation from Microsoft, the incident has forced reconsideration of how this kind of exploit is handled. Because Microsoft had already patched the issues without telling anyone, news organisations across the world incorrectly reported that Windows machines were vulnerable.
Security researchers verifying whether the files were effective did not test them against the latest patches as there was no indication anything had changed. The mistake has led many in the industry to rethink how they test leaked exploits.
Microsoft said it detailed the flaws on Friday as part of its coordinated vulnerability disclosure program. It included its usual references to working with external security researchers to identify flaws in the Windows ecosystem, without elaborating on the assistance it received in releasing updates for the Shadow Brokers bugs.
“We have long supported coordinated vulnerability disclosure as the most effective means to ensure customers and the computing ecosystem remains protected. This collaborative approach enables us to fully understand an issue and to deliver protection before customers are at risk due to public disclosure of attack methods,” said Microsoft. “We work closely with security researchers worldwide who privately report concerns to us.”
It’s believed the NSA may have used some of the flaws to compromise Windows Server machines responsible for running SWIFT, the global money transfer system. PowerPoint files found in the NSA hacking tools reveal the organisation has access to programs that can breach SWIFT firewalls and then use Windows exploits to gain access to servers. The authenticity of the claims has not been verified.
