Microsoft confirms it's patched most of the NSA's Windows exploits

Older versions, like Windows XP and Server 2003, are almost certainly vulnerable and will stay that way

Microsoft on Friday said it had patched most of the Windows vulnerabilities purportedly exploited by the National Security Agency (NSA) using tools that were leaked last week.

The Windows flaws were disclosed by the hacking gang Shadow Brokers in a large data dump earlier Friday. The group has released several collections of documents about the internal operations of the NSA, and the code it allegedly has used to compromise computers and other devices worldwide.

"Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products," Phillip Misner, a group manager in the Microsoft Security Response Center (MSRC), wrote in a post to a company blog.

Misner listed nine exploits included in the Shadow Brokers' dump, and named the security updates that patched the vulnerabilities each exploit leveraged. The updates had been issued from October 2008 to March 2017. And four of the nine were addressed in the MS17-010 security bulletin, which was released March 14.

Three other Windows exploits, Misner continued, had not been patched. "None reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows, or Exchange 2010 and newer versions of Exchange, are not at risk," he said [emphasis added]. "Customers still running prior versions of these products are encouraged to upgrade to a supported offering."

Miser's wording was important: Because the three exploits relied on vulnerabilities that were either not present or not effective in Windows 7 and later, the company would not be patching those editions. However, he implied that earlier versions are vulnerable.

Microsoft retired Windows Vista last week, and the even older Windows XP more than three years ago. The latter would be at risk, since it hasn't received security updates since 2014, and thus could be vulnerable to at least four and perhaps as many as seven of the 12 exploits. (Even though it was retired this month, it appeared that Vista was patched against most of the NSA exploits, perhaps all of them.)

Some of the exploits allegedly used by the NSA relied on vulnerabilities in older and not-supported SKUs (stock-selling units) of Windows Server, according to Matt Suiche, founder of the security firm Comaeio, who named Windows 2003 specifically.

But even the SKUs for which Microsoft has issued updates may be vulnerable if customers have not applied the fixes. That would especially apply to MS17-010, issued just over a month ago and thus unlikely to have been deployed by every enterprise.

Suiche recommended that users, even those still running the continues-to-be-patched Windows 7, upgrade to the newest SKU, Windows 10. "It is considerably harder to exploit bugs on Windows 10 than it is on Windows 7," Suiche asserted. "If you didn't yet, you should upgrade your OS to Windows 10 ASAP."

Join the Computerworld newsletter!

Error: Please check your email address.

Tags Daily BriefingMicrosoft

More about CustomersMicrosoftNational Security AgencyNSA

Show Comments

Market Place