Do you have a source for that? Looks like MS have released a number of patches for these exploits and so have other software vendors so I'm not sure what your claim is based on.
According to ArsTechnica, the Shadow Brokers' exploits were patched (silently) back in March. This suggests that no fully patched system should be vulnerable, which doesn't jibe with what some security researchers were claiming.
Mucrosoft patched a lot of the vulnerabilities within the last several months. That doesn't mean that they weren't serious vulnerabilities (i.e. the scope of the exploit) or that they weren't actively used (since the exploits could have been used from the time they were found by hackers to the time they were patched).
Also, I see a lot of green accounts in this thread...
I follow one of the people who was first to test these exploits out. They're not actually an amateur, but they did forget to patch their test VMs. Just like a lot of the other people who replicated the results.
The thing to be fair about there is that you can install Windows 2012 R2 in a VM in about 15 minutes, but if you want to apply all updates, you could be sitting there for hours.
I built and updated two servers on spinning rust last week and it took six separate reboot cycles and nine total hours.
It probably isn't about "forgetting", as much as considering that there was indication patches were relevant and you wanted to start this research today.
Edit: It's easy to call people "amateurs" in hindsight, and not necessarily fair.
Looking at their acknowledgements list it seems advisories always have acknowledgements even when it's Microsoft themselves who find the flaw. However, the MS17-010 patches didn't have any. If that's because they'd have to acknowledge the NSA, then it seems like more stuff is on the way: MS17-019 is also missing from the list. That's also patched in March and is "a vulnerability in Active Directory Federation Services (ADFS). The vulnerability could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system."
Why would they? The immediate concern is whether or not the exploits are still a risk, not determining the origin. Any future use of them is likely to be groups other than NSA at this point anyway.
If/when Microsoft do call out the NSA, I imagine it'll a) be filtered through their press/PR teams and b) be after they've had time to verify the source (it seem overwhelmingly likely to be NSA-originated, but I'd guess MS will do their own investigation and not just take it at face value).
MS will never "call out" anybody, in particular nobody in the US government - one of the few entities on the planet who can make Redmond lives materially harder. MS and authorities have a long history of peaceful collaboration and there is no reason to believe this state of things will change anytime soon.
So NSA knew 90 days ago and gave MS the heads up. They patched hurriedly eg. 14th March for EternalBlue - but didn't say anything to their customers re:patches must go ASAP (many large corporations have to phase them - i.e not at all at once on First Tuesday) so many companies are currently still vulnerable and probably won't hit them until next Tuesday after the Bank Holiday. What a mess.
"Some motive" I think would equate to fear of breaking mission critical or legacy applications. In a high-stakes environment, I'd imagine functionality would win out initially over security, until everything has time to be tested properly.
I worked at MSN a while ago, and even we didn't patch everything immediately. It had to go through our team's QA first. We found a few bad installers and that reinforced the practice.
> So NSA knew 90 days ago and gave MS the heads up.
Where do you get that conclusion from? I don't read any such claim from this advisory. MS seems at least for now to stay silent how they got info about those exploits.
There are various ways this could've happened. NSA could've warned them. Shadowbrokers could've warned them. Someone else with inside knowledge could've given them anonymous tips. From the current available information we don't know that.
The Shadowbrokers were trying to sell these exploits. There's screenshots from ~90 days ago with these all listed for sale with slightly modified names.
This probably explains why MS skipped February's patch day. They were extremely busy fixing all of these and wanted to do them all at once.
No you're right I have no idea. For all I know these vulns could have been crafted by MS themselves as convenient backdoors at the behest of the NSA et al with tested patches on ice for the eventuality that they had to go away some day.
Once a patch is released, it's generally quite straightforward to compare before and after, reverse engineering it to find the vulnerability. So the general advice is always to patch as soon as possible.
Which also reminds me of the skipped Feb patches. I quickly figured out that Veeam reported their bug only a week before Patch Tuesday. (see https://forums.veeam.com/veeam-backup-replication-f2/after-t...) This is a good example of how MS's build process works. According to https://blogs.technet.microsoft.com/filecab/2017/01/30/windo... they did go so far as to assign a KB number to the fixed patches, but there was a "build issue" according to Mary Jo Foley. I wonder what the dates would be if it was actually released.
I just don't believe shadowbrokers just burned all their 0days. I assume they only release the cheapest exploits and either sell or keep the rest. E.g. russia now has several NSA exploits.
Yes, saving the best 'til last you'd think or keeping some insurance (lol they are already dead). But then NSA should know what 0days TSB have left though right? Do MS? Also - you are assuming TSB have sold some to russia (and that russia would want them)? What Snowden helpfiles do we not have matching warez for? Do the two non-reproduceables require another undisclosed component?
> Of the three remaining exploits [...] none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.
So none of the exploits should be a problem if you're on somewhat recent versions of Windows and Exchange (as applicable). If you're still on Windows Vista, XP, 2000 or NT, you likely have bigger problems already.
Windows 7 released in 2009, and MS will keep issuing security patches until 2020. They also responded to this on Friday/Saturday of Easter weekend.
There's not a whole lot you can blame MS for here, except for the bugs existing in the first place (which is all but inevitable given the size of the codebase and the amount of scrutiny under which various groups put it).
Hopefully you do not have a recent CPU as support for those will be dropped on any windows but 10. Microsoft tried to do this with skylake but met so much resistance that it pushed the date further for those and went on for the newer cpu only.
the problem is not really Windows, but hardware abandoned by manufacturers, my mother has perfectly good/sufficient computer for her needs running Win7, which can't be upgraded any further (wanted to upgrade from Vista to W10 or W8, to find the most recent I can get is W7) because of video drivers not supported anymore and there is not really workaround, so it would require buying new video card, which in the end means I might as well just buy for her new Android tablet an get rid off PC or might as well, just install there Linux in the end
because of video drivers not supported anymore and there is not really workaround, so it would require buying new video card
A cheap 1GB video card can be had for $25.[0][1] And it is currently supported for the Windows 10 platform.[2]
Which is not to say that Linux and/or an Android tablet wouldn't be the best solution, just that the purchase and installation of a new video card is maybe not as expensive as would seem.
i am aware it's not so expensive, but compared to current value of computer is also not negligible amount anymore, thus i would not mind spending more money and have something more suitable for her needs, since she doesn't really need computer, though i would probably first try some up to date Linux distro
They officially researched and responded to what was going to be a fucking hyped out insane event at most major organizations on easter weekend. The fuck you goes to you, it's not the 90s anymore, Microsoft well and truly have their shit together.
Agreed, 2017 MS is vastly almost inestimably better than 1997 Microsoft.
I don't use their products (except vscode/typescript) but I appreciate the work they do anyway since windows botnets etc are an ever present threat to the fabric of services running on the internet.
This is true. They've become vastly better citizens, in terms of their past nastiness and the externalities inflicted on the rest of us, and quite a bit more technically competent since the security push and the end of the Ballmer regime.
Still seem abusive towards their customers, but that's most huge software companies, and doesn't bother me concretely, since I'm not one.
So in your mind how long does that mean MS should support that version of Windows you bought?
Seems like you're arguing MS should switch to a subscription-based model for Windows like most "continuously updated" software has because otherwise I don't see how you can expect them to provide you with free updates perpetually year-after-year after you paid them exactly once for software delivered as-is.
And it said exactly how long it would be supported when you did (you can pay increasingly more per year to keep it supported, as some organizations do, if you insist)
Personally, I avoid everything Microsoft, but I think their support horizon is fair. Tying telemetry to security isn't in my opinion, but it's a different discussion.
If the "use by" date could be valid is it were not arbitrarily imposed by the same people who drop support for the sole reason of pushing customers towards the more recent product that includes more surveillance and advertising revenue opportunity.
Unofficial patches will appear, if these are important enough for "Customers still running prior versions of these products". But looking at the list, all these exploits appear to be SMB server/RPC related; regardless of what Windows version you use, exposing that service to the Internet is not a good idea.
You pay either way because Microsoft is not a charitable organization. Either you spend as much (if not more) upfront for ridiculously long term support or you pay for upgrades and get a better operating system every few years. For obvious reasons the overwhelming vast majority of the world has picked the second option.
so they are now patched, shadowbrokers have found plenty of new vulns since then. loads of linux vulns too, makes up a big part of the internet, which makes it potentially even more scary.
One thing is collaborating with law enforcement, another thing is collaborating on mass surveillance. Microsoft collaborated setting up mass surveillance (PRISM).
One thing is a bug, another one is a backdoor. Are these good faith bugs or willful backdoors? Most likely they're bugs, but it is hard to know.
If I was Microsoft and I wanted to willfully plant a backdoor, I would take precautions to be able to get away with it if caught. Because security researchers can analyze them, and foreign governments have Windows source code, leaving intentional bugs as the only choice.
Now, the reasons I am suspicious of Microsoft:
- PRISM. Which is unequivocally mass surveillance.
- When Windows NT SP5 was released, the build accidentally came with debugging symbols (i.e: variable names were visible in binaries). A researcher found a variable called "_NSAKEY" containing a key which could be used to forge signatures. https://en.wikipedia.org/wiki/NSAKEY. Microsoft's explanation was that it wasn't related to the NSA, and that NSA in that context meant something else.
This idea that Microsoft is deliberately introducing bugs into its software so nation states can exploit them is so absurd, it really is tinfoil hat conspiracy theory ludicrousness.
> This idea that Microsoft is deliberately introducing bugs into its software so nation states can exploit them is so absurd, it really is tinfoil hat conspiracy theory ludicrousness
Replace Microsoft with AT&T and suddenly it makes sense?
> Are these good faith bugs or willful backdoors? Most likely they're bugs, but it is hard to know.
My suspicion on Microsoft has more to do with the latter facts I mentioned.
Then, you need to understand this happens within the framework of espionage, which is by nature concealed and discrete, and not necessarily with consent (e.g: infiltration).
That's just an insinuation of conspiracy with no evidence whatsoever behind it. The more believable alternative is that developers simply make mistakes now and then.
But having state sponsored employees is so obvious, effective, and cost efficient it seems odd to assume it's not being done. The US found a bunch of Russian spies a while back.
But true, it's not right to assume any particular vuln is from spies.
Correct. But you have to assume the spies have vulns in there, either intentionally added, or, if they found vulns, they simply reported them to their agency, instead of their employer.
You sound like a shill. Typical deceptive argumentation tactics. Casually dismissing anything you don't like, ignoring common knowledge, veiled insults toward your opponents, and hypocritically advocating blind faith in your position without any evidence behind it--a position which happens to leave you completely vulnerable to trivial deception by plausible deniability.
Oh, and a new account, too. I should hope that few people here would be so naive as to not see through you.
Looks like some amateur security researchers forgot to patch their test VMs.