Microsoft Says Previous Windows Patches Fixed Newly Leaked NSA Exploits (pcworld.com)

← Back to Stories (view on slashdot.org)

Microsoft Says Previous Windows Patches Fixed Newly Leaked NSA Exploits (pcworld.com)

Posted by msmash on Monday April 17, 2017 @07:40AM from the things-under-control dept.

Microsoft said it has already patched vulnerabilities revealed in last week's high-profile leak of suspected U.S. National Security Agency spying tools, meaning customers should be protected if they've kept their software up-to-date. From a report: Friday's leak caused concern in the security community. The spying tools include about 20 exploits designed to hack into old versions of Windows, such as Windows XP and Windows Server 2008. However, Microsoft said several patches -- one of which was made only last month -- address the vulnerabilities. "Our engineers have investigated the disclosed exploits, and most of the exploits are already patched," the company said in a blog post late on Friday. Three of the exploits found in the leak have not been patched but do not work on platforms that Microsoft currently supports, such as Window 7 or later and Exchange 2010 or later.

48 comments

Min score:

Reason:

Sort:

move along by zlives · 2017-04-17 07:44 · Score: 3, Insightful

you are completely secure citizen. not that you had anything to hide... right?
Meh... by Anonymous Coward · 2017-04-17 07:47 · Score: 2, Insightful

I'd rather they fix the god damn default apps reseting themselves randomly for no good reason instead. Since the day Windows 10 came out it's been an issue. No I don't want Edge to be my default PDF reader, now stop reseting my shit!
1. Re:Meh... by Anonymous Coward · 2017-04-17 08:21 · Score: 0
  
  Thats not a bug, to M$ thats a feature!
It's the timing that is suspect. by Anonymous Coward · 2017-04-17 07:47 · Score: 1

They patched them in the months before they were released, which implies one of two things : Wikileaks contacted them ahead of the release, or the NSA contacted them ahead of the release.
1. Re:It's the timing that is suspect. by Anonymous Coward · 2017-04-17 07:55 · Score: 0
  
  No need timing analyzations comrad, trusting in good old microsoft words, da!
2. Re: It's the timing that is suspect. by Anonymous Coward · 2017-04-17 08:44 · Score: 0
  
  Or SB contacted MS.
  Or MS contacted MS.
3. Re: It's the timing that is suspect. by Anonymous Coward · 2017-04-17 11:46 · Score: 0
  
  Or like, telemetry.
Well yea... by Anonymous Coward · 2017-04-17 07:55 · Score: 0

The NSA doesn't have to hack for windows user data, Microsoft is doing the spying for them with Windows 10.
Controlled Opposition Confirmed? by NicknameUnavailable · 2017-04-17 07:57 · Score: 1

Microsoft has never been known for security prowess, it stands to reason the Wikileaks dump was controlled and Microsoft had foreknowledge of what was being dumped.
1. Re:Controlled Opposition Confirmed? by Anonymous Coward · 2017-04-17 08:00 · Score: 0
  
  >Microsoft has never been known for security prowess, it stands to reason the Wikileaks dump was controlled
  This wasn't a Wikileaks leak. It was from some group called the Shadow Brokers.
2. Re: Controlled Opposition Confirmed? by Anonymous Coward · 2017-04-17 08:49 · Score: 0
  
  SB has dumped some NSA tools.
  WL has dumped some CIA tools.
  Keep your TLAs straight comrade!
Most of them are old fixes. Windows 2003 by raymorris · 2017-04-17 08:01 · Score: 1

ONE of the fixes was fairly recent. Most are old fixes for old exploits.
Our company actually has more recent code than the NSA has in this dump.
From our analysis so far, we're most concerned about Windows 2003.
Get off my turf, punk! by jenningsthecat · 2017-04-17 08:05 · Score: 1

"We're the only ones allowed to pwn our customers", says Microsoft to the NSA.

--
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
1. Re:Get off my turf, punk! by rtb61 · 2017-04-17 11:55 · Score: 1
  
  You left out the 'for free' bit, all of them play when the CIA/NSA/FBI pay (not to forget FSB or MSS). They only scream, Google, M$, Facebook et al, when they are forced to do it for free. They are quite content to do anything to you they can as long as they are paid. Come on people, they roll over for the government of China, they roll over the pretend enemy Russia and fucking hell they even roll over for Saudi Arabia the terrorist state, just as long as they are paid and paid millions of dollars to fuck you over.
  
  --
  Chaos - everything, everywhere, everywhen
2. Re:Get off my turf, punk! by Anonymous Coward · 2017-04-17 17:00 · Score: 0
  
  You left out the 'for free' bit, all of them play when the CIA/NSA/FBI pay (not to forget FSB or MSS). They only scream, Google, M$, Facebook et al, when they are forced to do it for free. They are quite content to do anything to you they can as long as they are paid. Come on people, they roll over for the government of China, they roll over the pretend enemy Russia and fucking hell they even roll over for Saudi Arabia the terrorist state, just as long as they are paid and paid millions of dollars to fuck you over.
  Err no! The upgrade from Windows 7 or 8.1 (there is no cost to upgrade from 8 to 8.1) was not really free since you would have paid the "Microsoft tax" when you purchased your PC unless you are one of those people who has a green (colour optional) parrot on your shoulder and optionally swigs rum whilst singing sea shanties.
Yes but by Anonymous Coward · 2017-04-17 08:18 · Score: 0

Your windows 10 spyware will install if I turn on updates.
It's a catch 22 gentlemen
Excellent, what if it was linux? by Anonymous Coward · 2017-04-17 08:21 · Score: 0

probably Linux Torvallis woudl send angry emails to his free devloperes telling them they do sloppy work
Sounds rotten by Anonymous Coward · 2017-04-17 08:38 · Score: 0

Yea, we discussed this a couple of days ago on reddit. Frankly the whole thing is.... suspicious to say the least.
https://www.reddit.com/r/sysadmin/comments/65j5nc/nsa_exploits_not_zero_days_they_were_patched_or/dgaw45u/?context=3
PLEASE UPDATE SAYS MICROSOFT by Anonymous Coward · 2017-04-17 09:05 · Score: 0

Because we really need to install this telemetry tracking software and keylogger on your computer.
And by the way, if you are a developer, we're going to slurp samples of your code back through Visual Studio for 'analysis'
1. Re: PLEASE UPDATE SAYS MICROSOFT by Anonymous Coward · 2017-04-17 10:35 · Score: 0
  
  Of all the stupid MS conspiracy theories this is by far the dumbest. You honestly think that they would "slurp" up random code samples so they can steal your intellectual property? If you read random snippets of VS developed code you'd find a lot of things- stupid bugs, amateur hour dev, reinventing wheels, and total jibberish. You have to be disingenuous or next level dumb to believe there's any malfeasance here.
2. Re: PLEASE UPDATE SAYS MICROSOFT by Anonymous Coward · 2017-04-18 11:36 · Score: 0
  
  If your program generates a crash, it sends code to microsoft. Read the eula for VS if you really dont believe me.
We fixed em! by Anonymous Coward · 2017-04-17 09:16 · Score: 0

And added new ones...
The *real* question... by gweilo8888 · 2017-04-17 09:16 · Score: 2

...isn't whether they fixed the exploits or not. The real question is how many more exploits were added at the NSA's behest alongside these new patches.
1. Re:The *real* question... by Anonymous Coward · 2017-04-17 11:29 · Score: 0
  
  I presume the NSA have more exploits, and the ones they allowed to leak are not-at-all-coincidentally the ones that have already been plugged.
2. Re:The *real* question... by drinkypoo · 2017-04-18 01:16 · Score: 1
  
  They don't need any new exploits, the whole damned OS is an exploitation framework. They send updates downstream, you will take them in bundles and you will like it peon, and then they collect telemetry upstream. 3, profit!!!
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Can't patch collusion by Anonymous Coward · 2017-04-17 09:46 · Score: 0

There are suspicions that Microsoft included a key in Windows just for the NSA:
https://en.wikipedia.org/wiki/NSAKEY
If you can't hire an independent contractor to audit the code to your standards, you probably don't want to use it for tasks that require security.
So: Put it on your gaming box, but don't use it for online banking, social media, etc.
1. Re: Can't patch collusion by Anonymous Coward · 2017-04-17 10:17 · Score: 0
  
  Oh I get it, because NSA wont get a warrant or hack your bank, Facebook, or ISP instead if they can't get access to your OS. Face it, if an organization such as NSA or CIA decide you are a target, there is no OS or a setup in the world that can protect you. Based on Vault 7 leaks, we saw CIA targets all platforms including Mac and Linux.
2. Re: Can't patch collusion by Anonymous Coward · 2017-04-17 10:58 · Score: 0
  
  I have suspicions you are a moron. You can't independently verify ANYTHING you don't code review, compile yourself and then you are trusting the compiler. So that eliminates Windows, OSX, iOS, Android, and every precompiled Linux flavor. And unless you personally are the one who did it then there's another chain of trust. So I guess we should just turn off the internet and all our devices and write letters by candlelight.
3. Re: Can't patch collusion by Anonymous Coward · 2017-04-17 11:43 · Score: 0
  
  You can't independently verify ANYTHING you don't code review, compile yourself and then you are trusting the compiler.
  I think we have different definitions of "independent verification".
  Or, as the movie Tommy Boy put it, "I can get a good look at a T-bone by sticking my head up a bull's ass, but I'd rather take a butcher's word for it."
  I'll take the butcher's word. You feel free to stick your head wherever you like.
Re:Found the LUDDITE! by Anonymous Coward · 2017-04-17 10:09 · Score: 0

What you just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response, were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having read to it. I award you no points, and may God have mercy on your soul.
Hate to put this in text, but Win10 is decent. by Trax3001BBS · 2017-04-17 10:09 · Score: 0

I'm OEM so no third party participation and Win10 is a tiny freaking OS. My Mom had a preference of shopping with out me and bringing home Acers. I missed my games and went Windows 10 Pro and so far 2 Linux Mint OS's, but it's early - Asus's EFI-BIOS will not update
There are mistakes in the TOS (You read it if asked), one being who you get the updates from, MicroSoft and a tightly controlled thirds. If you use Autoruns https://technet.microsoft.com/... you will find a server running, while mayhaps a bad thing, I see it as their plans of sending them out as torrents (and against the TOS).
Having no malware handy other than the stuff I know I have (no you can't touch that), had to use Eciar https://en.wikipedia.org/wiki/... and found Defender fairly quick and killed a bit of time hiding the packets :)
1. Re:Hate to put this in text, but Win10 is decent. by Anonymous Coward · 2017-04-17 16:21 · Score: 0
  
  Windows 10 is a bloated piece of crap.
2. Re:Hate to put this in text, but Win10 is decent. by ArchieBunker · 2017-04-18 01:35 · Score: 1
  
  You sound like a poorly written chat bot. I still don't know what the hell you are babbling about.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
3. Re:Hate to put this in text, but Win10 is decent. by Anonymous Coward · 2017-04-18 23:01 · Score: 0
  
  I'm OEM so no third party participation and Win10 is a tiny freaking OS. My Mom had a preference of shopping with out me and bringing home Acers. I missed my games and went Windows 10 Pro and so far 2 Linux Mint OS's, but it's early - Asus's EFI-BIOS will not update
  There are mistakes in the TOS (You read it if asked), one being who you get the updates from, MicroSoft and a tightly controlled thirds. If you use Autoruns https://technet.microsoft.com/... [microsoft.com] you will find a server running, while mayhaps a bad thing, I see it as their plans of sending them out as torrents (and against the TOS).
  Having no malware handy other than the stuff I know I have (no you can't touch that), had to use Eciar https://en.wikipedia.org/wiki/... [wikipedia.org] and found Defender fairly quick and killed a bit of time hiding the packets :)
  What in the name of God made you believe that anyone would care about these words you've just written?
4. Re:Hate to put this in text, but Win10 is decent. by Trax3001BBS · 2017-04-19 17:36 · Score: 1
  
  I've avoided Windows, but gaming won out.
  My Win10 install is very minimal 7 directories, all of my malware sites have been shutdown so I used the EICAR test file.
  I was still in the glow of that test it was entertaining tossing that file out and seeing if Defender picked up on it and it was found fairly quickly.
  Problem here is all malware programs are written to catch the EICAR test file.
  The glow is gone and my Linux Mint not booting after this large Windows update (No boot menu). Things are still the same I've found - let Windows install the file/driver and it's broke being one.
WINDOWS IS DEAD. FACE IT. by Anonymous Coward · 2017-04-17 10:28 · Score: 0

Windows is dead.
Face it.
Re:Found the LUDDITE! by zlives · 2017-04-17 10:34 · Score: 1

god is a Luddite concept, we worship at the altar of AI which is a large touch screen with Apps that can ape apps with their deep learning neural networks... or something like that
So basically... by Anonymous Coward · 2017-04-17 11:44 · Score: 0

So basically the government is fine with people personally selecting which information they will keep private
Very bad title by manu0601 · 2017-04-17 13:30 · Score: 1

The summary actually contradicts the title.

Three of the exploits found in the leak have not been patched but do not work on platforms that Microsoft currently supports, such as Window 7 or later and Exchange 2010 or later.
Many people still run XP and are at risk because of three unpatched flaws.
Re:Found the LUDDITE! by Anonymous Coward · 2017-04-17 16:48 · Score: 0

ONLY apps can app apps, which is why Appdows 10 changes the default apps to appy app apps instead of your filthy LUDDITE software! Apps!
He's back! Now where is that Idiot moderator tag?
Trust. by Anonymous Coward · 2017-04-17 18:59 · Score: 0

Why should I --given past and recent Microsoft behavior-- believe anything they say? Just because...
"Just fucking trust us"?
No.
um... by Anonymous Coward · 2017-04-17 19:03 · Score: 0

Sure, Jan.
Re:Found the LUDDITE! by Anonymous Coward · 2017-04-17 19:30 · Score: 0

Apps are for cows! You are all LUDDITE cows. Cows say moo. MOOOOOOOOOO! MOOOOOOO! Moo cows MOOOOOOO! Moo say the cows. YOU LUDDITE COWS!!
I don't trust Microsoft by Anonymous Coward · 2017-04-17 20:18 · Score: 0

I don't trust Microsoft, and I don't believe them. Using a computer today, for me, is terrible, things designed badly, not being secure, having no privacy. :O
Auditing tools? by l0n3s0m3phr34k · 2017-04-17 22:28 · Score: 1

Anyone know if there are any available auditing tools for these, specifically? I've got a meeting with my upper managment and cross-country team and would love to show them this specifically as to why they need to drop 2008 ASAP.