Perhaps they were fixed as part of unrelated bug fixes? That would explain why they didn't credit anyone as having reported them. Something like, "Fixed bad return value leak," or "refactoring old method" could break the exploits.
Perhaps someone had noted intrusions using these methods and reported it to microsoft, but don't want to publically report that they had a security incident.
The NSA knew they were burned and these exploits would be used against American interests shortly. I imagine they sent them to MS. Note these particular fixes have no source, which while not uncommon, is very telling considering its multiple items with no credit.
They're also very nasty for sysadmins. smb exploits giving SYSTEM level access on servers and domain hacks are pretty much worse case scenarios. I pity any shop who hasn't updated yet. The attacks are weaponized and are in the wild right now packed into trojans, ransomware, crimepacks, etc.
I'm glad I am not doing sysadmin for anyone but myself these days, the tools and knowledge needed to handle this level of mass intrusion available to common sysadmins is abysmal.
By the way, has anyone heard anything in the leaks about HIDS exploits? Right now I am leaning towards the position that if "everything is comprimised", the key to security in the future is primarily in log notifications and other auditing measures. I saw some stuff about deleting windows event logs, but if for example the server was running a hids that syslogged to a central log server, or even an encrypted decentralized log server, they would have to comprimise the entire system to prevent the log from existing.
The codenames / coverterms were in ShadowBrokers screenshots back in January. It would be very strange if at least one person at NSA had not seen this and reported beforehand to Microsoft (with or without agency knowing).
One explanation is that someone tried to use the exploits in a less than inconspicuous way, which resulted in a crash, and then Microsoft's crash reporting picked it up. I read somewhere they specifically look for exploitable crashes (e.g. buffer overflows) in the long tail of rare crashes and try to fix them. But I'm just speculating of course.
Just try not to be naive when trying to understand espionage and counterespionage. A clever strategy is to give the adversary what they want, while profiting from it. Let them have the feeling they're winning while they're actually losing.
0 days may be real and the exploits may be real too. But maybe the higher objective was to make people believe that the NSA operates regularly through 0 days, that there's no preferential disclosure of bugs between them and Microsoft, and that they do not rely on RNG/crypto/hardware/software tricks or backdoors. We will never have the means to truly know if any of that is the case.
So while the leak might be real, it could be still be fake in the sense that is not representative of reality in terms of how they operate.
Then, you do not fully know if running the exploits come with unexpected side effects put there by the authors.
I am very skeptical of high profile leaks with full media coverage such as this one, as well as Assange, Snowden, etc. Maybe the information is true but cherry-picked, and potentially mixed with false information.
Do not underestimate people that make a living dealing with classified information and asymmetric information.
14 comments
[ 7.0 ms ] story [ 79.3 ms ] threadThey're also very nasty for sysadmins. smb exploits giving SYSTEM level access on servers and domain hacks are pretty much worse case scenarios. I pity any shop who hasn't updated yet. The attacks are weaponized and are in the wild right now packed into trojans, ransomware, crimepacks, etc.
By the way, has anyone heard anything in the leaks about HIDS exploits? Right now I am leaning towards the position that if "everything is comprimised", the key to security in the future is primarily in log notifications and other auditing measures. I saw some stuff about deleting windows event logs, but if for example the server was running a hids that syslogged to a central log server, or even an encrypted decentralized log server, they would have to comprimise the entire system to prevent the log from existing.
Security is about layers.
I agree completely with your first paragraph though and it seems like a likely situation.
Oh, I guess you need to talk to apple about this.
https://dpron.com/os-x-10-11-5-slow-smb/
I got bit by this last week. Got a new NAS. Windows clients work fine, OSX is slow and error prone. Solution? Disable SMB2/3.
Apple needs to get hammered for this.
It's sad really.
0 days may be real and the exploits may be real too. But maybe the higher objective was to make people believe that the NSA operates regularly through 0 days, that there's no preferential disclosure of bugs between them and Microsoft, and that they do not rely on RNG/crypto/hardware/software tricks or backdoors. We will never have the means to truly know if any of that is the case.
So while the leak might be real, it could be still be fake in the sense that is not representative of reality in terms of how they operate.
Then, you do not fully know if running the exploits come with unexpected side effects put there by the authors.
I am very skeptical of high profile leaks with full media coverage such as this one, as well as Assange, Snowden, etc. Maybe the information is true but cherry-picked, and potentially mixed with false information.
Do not underestimate people that make a living dealing with classified information and asymmetric information.