Microsoft announced Friday that it had already patched the vulnerabilities that were disclosed by the Shadow Brokers last week.
The National Security Agency notified Microsoft about the vulnerabilities that the agency and the hacker group were aware of in January and Microsoft patched the systems by March. When the Shadow Brokers released the password to encrypted NSA tools used to target Windows systems, Microsoft determined that all of the exploits were already patched or are no longer supported on Windows platforms.
“When a potential vulnerability is reported to Microsoft, either from an internal or external source, the Microsoft Security Response Center (MSRC) kicks off an immediate and thorough investigation,” said Phillip Misner, principal security group manager of the Microsoft Security Response Center, in a security update. “We work to swiftly validate the claim and make sure legitimate, unresolved vulnerabilities that put customers at risk are fixed.”
The NSA tools appear to have been stolen in 2013 and were zero-day exploits at the time targeting Windows 8 and Windows Server 2013. The NSA is required to notify American companies when the agency finds zero-day vulnerabilities in their systems in order to give the companies a chance to protect their networks from attacks.
“I’m comfortable with the NSA keeping as many 0-days affecting U.S. systems as they want, so long as they are NOBUS (Nobody But Us),” Nicholas Weaver, senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, Calif., said in a blog post. “Once the NSA is aware an adversary knows of the vulnerabilities, the agency has an obligation to protect U.S. interests through disclosure.”
The Shadow Brokers’ leaks indicate that the NSA infiltrated a Dubai company that helps manage transactions in the international bank messaging system Swift. Swift is used by about 11,000 banks to transfer money between countries.
Despite the indication that the NSA notified Microsoft of the vulnerabilities contained in the leaks, some technical experts expressed doubts that the NSA always follows this rule when necessary. Industry leaders have argued that the NSA, CIA, and other spy agencies need to be more open with companies by disclosing the cyber vulnerabilities that they find so that companies can fix them and build stronger networks.
“Unfortunately, since everyone uses the same technology in today’s global economy, each of these vulnerabilities also represents a threat to American businesses and individuals,” Daniel Castro, vice president of the Information Technology and Innovation Foundation, said in a blog post in March. “In the future, rather than hoard this information, the CIA and other intelligence agencies should commit to responsibly disclosing vulnerabilities it discovers to the private sector so that security holes can be patched.”
The NSA does not disclose about 9 percent of the vulnerabilities that it finds, according to Castro. The NSA does not have to disclose vulnerabilities if the agency believes that no other actors know about them or that disclosing the vulnerabilities would affect national security.
“Might be time to consider a standalone defensive cybersecurity agency like France, Germany, Japan or Korea. Current model not working,” Alex Stamos, the chief security officer of Facebook, tweeted on Friday.
Might be time to consider a standalone defensive cybersecurity agency like France, Germany, Japan or Korea. Current model not working (4/3)
— Alex Stamos (@alexstamos) April 14, 2017