Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Exploits Ported To Work on All Windows Versions Released Since Windows 2000 (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Catalin Cimpanu, reporting for BleepingComputer: A security researcher has ported three leaked NSA exploits to work on all Windows versions released in the past 18 years, starting with Windows 2000. The three exploits are EternalChampion, EternalRomance, and EternalSynergy; all three leaked last April by a hacking group known as The Shadow Brokers who claimed to have stolen the code from the NSA. Several exploits and hacking tools were released in the April 2017 Shadow Brokers dump, the most famous being EternalBlue, the exploit used in the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks.

14 of 95 comments (clear)

  1. Windows always excelled at backward compatibility by JoeyRox · · Score: 5, Funny

    That's called taking care of your installed base.

  2. The good old days by DNS-and-BIND · · Score: 2, Funny

    Remember when we chalked the NSA up on our side? They might have been a secretive government agency, but no matter what they did they had our interests at heart. Those were the days, weren't they?

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    1. Re:The good old days by DNS-and-BIND · · Score: 4, Insightful

      They no longer regard themselves as under the control of the elected government. James Clapper was director of National Intelligence when he lied under oath to Congress and the American people saying we were not spying on innocent Americans. Good thing Scandal Free Obama was in charge and the media didn't care.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    2. Re:The good old days by HiThere · · Score: 3, Insightful

      Given the currently known evidence, it actually does appear that in the 1960's the NSA was partially on the side of secure communications. It's true they argued for a key short enough that they could break it, but they also argued for some program changes that nobody else understood, but which eventually turned out to patch the program to make it more difficult to break.

      The problem is that the NSA is inherently two different organizations with conflicting goals. One is supposed to secure communications, and the other is supposed to spy on them. (Nevermind that it's only supposed to spy on foreigners. That's irrelevant to the point.) Unfortunately the spys are more adept at politics than the security researchers, so they appear have come to totally dominate the agency...and as a result nobody sensible trusts anything related to it.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  3. Dodged a bullet there... by rwbaskette · · Score: 4, Funny

    ... I'm still running NT Workstation

    1. Re:Dodged a bullet there... by IWantMoreSpamPlease · · Score: 2

      I know you jest, but I actually installed NT 4.0 workstation last year onto a laptop built in the post 2000 era.
      *Very* challenging (drivers being a huge issue), but in the end, I had a laptop that booted in seconds, and was quite useless online (but it was funny to see webpages attempt to render on a platform that didn't recognize the web-programming languages.)

      One of the biggest challenges was simply finding SPs and patches. MS of course wiped them all out, and many websites were simply pointing back to MS's site for the files. In the end I found all the patches and tricks I needed, but my we have come a long way from NT days...

      --
      So rise up, all ye lost ones, as one, we'll claw the clouds.
  4. Good news everyone! by Virtucon · · Score: 3, Funny

    At least the NSA won't be able to use those exploits anymore.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
  5. You don't steal from the NSA unless... by Viol8 · · Score: 2

    ... you worked there. The chances of Mr A Random Hacker gaining access to their core systems are as close to zero as makes no difference. If original code is truly from the NSA then it was leaked by an employee.

  6. "All versions", yeah right by ET3D · · Score: 3, Interesting

    Interesting that he went for a 2 year old version of Windows 10. Would have been much more interesting if he tested the latest patched versions of all OS's. If he did that for Windows 10, won't surprise me if he also used unpatched versions of Windows 8.1 and 7.

    1. Re:"All versions", yeah right by Anonymous Coward · · Score: 2, Informative

      Interesting that he went for a 2 year old version of Windows 10. Would have been much more interesting if he tested the latest patched versions of all OS's.

      He did, although you have to read the article linked in the article linked from the summary to know this.

      He tested on FOUR different versions of Windows 10:
      10.10240 - vulnerable
      10.10586 - vulnerable
      10.14393 - vulnerable
      10.16299 - NOT VULNERABLE

      Also 10.16299 is from October 2017, which is only 5 months old right now, not 24 months as you imply.
      10.10586 and 10.14393 are both not 24 months old yet either.
      Only one version in that list, 10.10240, is more than 24 months old. But seeing as four isn't one as you claim, I'm not counting that as a correct statement either.

      If he did that for Windows 10, won't surprise me if he also used unpatched versions of Windows 8.1 and 7.

      Of course he did, and says so. He also tested the fully patched versions along with them.

      Windows 7: Release version, SP0, SP1, and SP1 with the KB3020369 rollup.
      The first ones are older unpactched versions, or specifically for SP0 and SP1, they are patched just not the latest patches.
      The latest would be the KB3020369 rollup, which is also vulnerable.

      Windows 8.1: Release version, Evaluation 9600, and SP1.
      The first is unpatched, the second is the beta for SP1 so is patched but not the latest patches, and SP1 is the latest. All are vulnerable.

  7. Re:yes but did you heard the eagles won the game by mnemotronic · · Score: 3, Funny

    I made a fair amount of money on that game. Monopoly money, of course ...

    Exchange it for BitCoins.

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
  8. They are a government agancy first by Excelcia · · Score: 5, Interesting

    It's not the fact that the NSA isn't allowed to hack. It's the fact that they discovered multiple critical vulnerabilities in an OS used by hundreds of millions of American citizens and other American agencies and governments, and instead of disclosing it responsibly so that Americans would be protected, they sat on that information. Worse, they weaponized it, then they let the weapon escape out into the wild. NSA exploits are responsible for more billions of dollars in ransomeware attacks than any single source.

    The NSA failed to protect Americans, weaponized a weakness shared by virtually every citizen, and then failed to keep their weapons locked up. Imagine if the US Air Force lost a few nukes. The property damage by NSA leaks is about akin to dropping a nuke on medium sized city. The NSA leadership responsible for those decisions shouldn't just be fired, they should be hauled (in chains) before congress to answer publicly for those decisions. I cannot fathom why the American people aren't still howling for their arrest.

    1. Re:They are a government agancy first by VeryFluffyBunny · · Score: 3, Insightful

      How many phone calls did you make to your elected representatives demanding they do something about this? Oh wait, you expected someone else to solve the problem for you?

      Even if you're not in the states, like any citizen, part of your responsibility is to regularly lobby the government to represent your interests. This stuff happens everywhere, in every country where people expect some annointed king-like leader to solve all their problems and read their minds.

      Yes, that's the typical response of victim blamers and it's a load of bollocks.

      How are citizens supposed to do something when their political representatives actively avoid them, and everything that matters to people is taken out of democratic control, or made secret, e.g. that the NSA was spying on American citizens in the US without reasonable suspicion or probable cause?

      How would you like to blame voters who've been forced into a captive 2 party system dominated by corporate funding?

      And how about all the US citizens and party members who are denied their right to vote by closing down polling stations and disqualifying large numbers of votes? How would you like to blame them?

      When you have a participatory democracy instead of a representative one, you can blame the electorate for lack of participation. Don't shit on the unfortunate and disenfranchised.

      --
      Debate is a form of harassment. Do not question my truth.
  9. Re:When are they releasing the Windows 2000 patch? by mnemotronic · · Score: 2

    Consider Microsoft's position:
    Many of the operating systems are on End-of-Life status which means this product will no longer receive assisted support or security updates from Microsoft. These OSs are still widely used and are now even more vulnerable, if that's possible.
    Microsoft is in a bind. They could provide patches for these vulnerabilities, or restate their policy: "Your're on your own bucko". How many people left at Microsoft worked on the Windows 2000 software or remember it? If MS does somehow figure out how to patch these OSs, then I can see that as setting a precedent that says they will provide security fixes in certain situations. That's the kind of vague context that lawyers love and could lead to future class action lawsuits when they refuse to fix a bug that caused problems for someone. "Hey Microsoft, you did a fix for Eternal Blue but didn't do one for Never Ending Orange and my data got stolen! It's your fault."

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.