A hacking group called The Shadow Brokers released a set of tools they claimed to be taken from the National Security Agency (NSA). Most of the tools were exploiting unknown vulnerabilities in the Microsoft Windows operating system. This set the security industry in a whirlwind of panic as they tried to figure out how to mitigate and close these holes until the vulnerabilities were fixed.
In an interesting turn Microsoft come out and said that after analyzing the tools they said that all the vulnerabilities those tools used were patched last month. Convenient timing.
“Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Customers still running prior versions of these products are encouraged to upgrade to a supported offering,” Microsoft Security Team said in a blog post published today.
The other exploits from the hacker’s dump Microsoft has assured are not a problem on “up to date” systems. Meaning if you are running Windows 7 and above you’re fine. Vista, XP, sub-2010 products… you’re on your own.
“Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.” Microsoft says.
What can the world learn from this? It’s simple.
If you have technology in your environment you are accepting the responsibility to make sure those systems are maintained properly. You can no longer drop in a server and let it sit, ignoring the monthly patches, not planning for upgrades to the software, assuming that everything will be fine because no one uses it daily. Hackers are successful today because they are exploiting systems but they are relying heavily on the laziness of the owners. These hacking tools are out in the public realm so anyone from a state sponsored group to a disgruntled employee can get their hands on them. You may not be a target from a large, coordinated hacking group but how about the under-appreciated IT employee with a bad attitude? That’s the risk everyone faces now.
Patching is such an easy process and routine activity that should be top priority for any security program. If you think the patch notes are 100% accurate you are fooling yourself. Vendors often sneak things into patch notes they don’t want to disclose through embarrassment or exposing other larger known problems with their products. The days of patches blowing up systems is far and few between, the extensive testing can be done in a much shorter time frame than you think. Not patching should be a bigger worry than what a new patch ‘might’ do.
Through the whistleblower leaks it should be apparent now that there are vulnerabilities out there that are actively being used that no one knows about. As security professionals we must do what we can to protect the systems, data and people. “Accepting the risk” of not patching as soon as possible will only end badly. Accepting risk is far too often used as an excuse rather than a proper business decision. Patching and using supported software are exempt from coming up with delay excuses.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.