Microsoft: Latest security fixes thwart NSA hacking tools

The company previously said it would not fix three outstanding exploits, but reversed course following the ransomware attack in May.
Written by Zack Whittaker, Contributor

Microsoft headquarters. (Image: file photo)

Microsoft has confirmed its latest round of security patches has fixed three remaining vulnerabilities built by the National Security Agency, which the company previously said it would not fix.

The company confirmed to ZDNet that it had reversed course on releasing patches for the exploits, which Microsoft said earlier this year only affect older operating systems that have since been retired, notably Windows XP and Windows Server 2003.

The release comes as the software giant warned of an "elevated risk for destructive cyberattacks" following last month's ransomware-based cyberattack.

It's the latest twist in a cat and mouse game between the National Security Agency and Microsoft in recent months, after the intelligence lost control of its arsenal of hacking tools.

An unknown hacker group obtained the cache of tools in one of the biggest breaches of classified files since the Edward Snowden revelations. These tools allowed NSA analysts to break into a range of systems, network equipment, and firewalls, and most recently, Linux servers, and a range of Windows operating systems. The group attempted to auction off the files but failed, and it has been releasing portions of the stolen files in stages.

Microsoft patched the vulnerabilities in all supported versions of Windows in the April update, but left three exploits remaining. The company said that the flaws only affected older versions of Windows, and users should upgrade.

But after last month's massive WannaCry outbreak which locked thousands of computers with ransomware, Microsoft is patching the rest of the exploits in an effort to avoid a repeat of the attack.

A spokesperson said that the three Windows exploits -- dubbed ENGLISHMANDENTIST, ESTEEMAUDIT, and EXPLODINGCAN (which was also independently discovered) -- are now fixed in June's security updates.

"These vulnerabilities are quite serious and still widespread, even with the affected systems having been 'out of service' for some time," said Sean Dillon, senior security analyst for cybersecurity firm RiskSense, in an email.

"Independent discovery for some of the fixed vulnerabilities occurred before the Shadow Brokers leak, indicating researchers and malware authors are still interested in finding problems in legacy versions of Microsoft products. While releasing the patch should be considered the correct proactive approach from Microsoft given current events, there's no indication that the practice will continue," he added.

He said that potentially "hundreds of thousands, and potentially millions" of vulnerable systems pose an "imminent" threat of exploitation.

"The greatest threat is not necessarily ransomware. Installation of stealthier malware, such as banking spyware and key-loggers, as well as exfiltration of intellectual property or classified information, is a huge risk if an attacker is able to breach into the internal network and install back-doors," he added.

"Organizations should look at the patches released today as a temporary solution and continue to upgrade legacy systems to supported versions."

Microsoft said that the decision to patch the flaws was a "rare move," adding that it "should not be viewed as a departure from our standard servicing policies."

"Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly," the company said, but urged users of older operating systems to upgrade as soon as possible.

"The move by Microsoft to patch these vulnerabilities will be read by many as a signal that there is no real need to update their legacy operating systems," said Jake Williams, founder of Rendition Infosec, a security consultancy group.

"This is the third time Microsoft has updated legacy operating systems (XP) to reduce exposure to vulnerabilities being exploited in the wild. Given that Microsoft has never left legacy operating systems exposed to a widely exploited vulnerability, organizations can conclude this behavior will likely continue in the future," he said.

"But newer versions of the operating system have many built in exploit mitigations that make the attacker's job dramatically more difficult, even when exploiting a known vulnerability," he added.

Microsoft did not outright say that the NSA was behind the exploits targeting Microsoft operating systems, but did confirm in a blog post that the hacking tools were the result of "nation-state activity."

An NSA spokesperson declined to comment.

Editorial standards