113 comments

[ 1.4 ms ] story [ 162 ms ] thread
What the heck does "nation-state activity" means?
It means governments are exploiting the OS instead of random hackers.
"Activity" = codename for hacking
> we have taken action to provide additional critical security updates to address vulnerabilities that are at heightened risk of exploitation due to past nation-state activity and disclosures.

It's state sponsored hacking or hoarding of vulnerabilities.

Presumably it's another case where an intelligence agency lost control of an exploit they developed, the same thing that happened with WannaCry.
>What the heck does "nation-state activity" means?

That looks hard enough to understand, but additionally it is "potential".

Russia
> Russia

Is that a new way of saying "NSA"?

All joking aside... this is likely the tail-end result of the Shadow Brokers leak coupled with the recently-used exploits in the failed crypto-locker variant "Wanna Cry".

Interesting question.

"Nation" is really the people, not the country or the state, and the reason it's mixed up to the point of having reached the dictionaries, is the strong nation-states that have been founded in Europe the last few hundred years.

"State" is the organisation that governs a country or region, and in extension all it's concerns.

Activity means hacking.

So... a government organisation from a country of ethnically and culturally distinct people are hacking shit.

How the fuck are some government orgs still on Windows XP?? Seriously, we need government-wide standards in place so this sort of thing doesn't happen.
Strict standards and certifications that make it hard to make changes are one contributing factor to how we ended up here.
(comment deleted)
How dare the customer have opinions of there own and vote with there feet and money for it! This is outrageous! Dont they want to go Hipster-Hyper-Heaven?
I'm not saying the customer shouldn't be able to vote with their feet/wallet, but they should also be aware that code rots, and security vulnerabilities become more known as time goes on. I don't think criticizing an organization for sticking with ever older, ever more insecure software is necessarily wrong.

What makes this harder is that people bought into a platform that doesn't given them access to the code they run. The business that originally created it isn't interested in supporting it further (well, they are, i.e., "Windows 10", but I presume that that's not acceptable to our hypothetical "vote with there [sic] feet" person), and I don't really see that the business should be forced to support it, either. (It's not like MS didn't support it for quite a while, and don't still offer a solution.)

Software evolves. Ideally we're finding more secure and better ways of doing stuff, and shedding the old stuff, though I acknowledge the debatability of that. I acknowledge that it's also unfortunate that UI changes, and bloat, often seem tightly coupled with that. But if people also persist in choosing non-free, non-open source software…

Really, the reason "code rots" is because of updates. Compatibility with old code breaks over time. That is, in fact, exactly why so many government systems use ancient Windows XP versions and the like: Code doesn't rot if you don't update anything.

Of course, security vulnerabilities do still become more known over time, and if you patch for them, you end up rotting code.

To handle both code rot and security vulnerabilities, you need software that is persistently maintained and upgraded, which means having a software team permanently on the job instead of what a lot of government software came from: One-time projects where a contractor comes in and does something.

We have government wide standards, they standardize on Microsoft's proprietary non-standard products.

Microsoft built this mess for profit, and continue to profit off of taxpayers indefinitely as hobbled state institutions are forced to pay permanent support contracts for old OSes because the states themselves mandated they use this shit by law. I'd love to see how many campaign contributions MS made to representatives pushing laws standardizing on Word or other bullshit MS only tech in state institutions and even worse, in schools.

Public education is infested with Microsoft giving away / heavily subsidizing their locked in products so children are hooked on them for life, and nobody is outraged about it.

Hell, the whole war for the classroom from all parties involved is disgusting. Microsoft, Apple, and Google all push free access to their proprietary services and products to lock kids into their ecosystems. And while Google's platform, Chromebooks, are much more open than their competitors, they offset that by also having the ulterior motive of farming these kids for their big data research (not to say MS and Apple aren't doing it too, just saying Google is far from innocent here).

The whole intersection of state and software globally is a giant mess of corruption. There is way too much profit to be made off taxpayers money for anything close to good intentions to win the day.

I'd love to see how many campaign contributions MS made to representatives pushing laws standardizing on Word or other bullshit MS only tech in state institutions and even worse, in schools.

I keep hearing it will be the Year Of The Linux Desktop and it keeps never happening. That's why. No need for any wacky conspiracy theories, for the average user who just wants their computer to be a tool to get work done, the choices are Windows or Mac, and for large organisations who want to centrally manage machines, the choice is... Windows.

I haven't heard anyone say "year of linux on the desktop" for years now. Do people really still say this?
> for the average user who just wants their computer to be a tool to get work done, the choices are Windows or Mac

And yet Chromebook and iPad sales are booming at the expense of the PC. My sample size is ~20 family members. Those with Chromebooks love them and those with Windows 8/10 despise them. From a support perspective, it's considerably less for Chromebooks vs multiple issues with malware on the Windows devices.

Caveat emptor, YMMV etc.

From the stories I've heard I wouldn't be surprised if some were still on DOS. It's hard to develop in house with a tightly controlled budget and it's hard to outsource when you're dealing with sensitive data.
DOS? I still have to maintain basic CP/M proficiency as one of the pieces of heavy machinery in our workshop is controlled via an über-proprietary interface firmly embedded in an M68k machine.

We only got rid of the VMS controlled CNC lathe a couple of years ago - it ran off a VAXstation something-or-the-other. A 2100, methinks.

Granted, these machines didn't pose much of a problem besides scarcity of spare parts - neither of them had any need for a network, anyway.

I've seen a lot of specialized measurement equipment running on ancient hardware - oldest I've personally seen is a microwave radar analyser running windows 3.1 as far as I know this is due to a specialized hardware card.

Some industries are still full of Unix boxes from the 90's RS/6000 vintage. I've heard oil and gas industry is pretty bad for this sort of stuff especially in industrial control systems.

I wouldn't call it bad as such, if it is fit for purpose, it is fit for purpose.

Problems arise when some bright spark figures out that it would be much easier to collect data via a network, directly from $Expensive_Device - or when another bright spark in accounting figures one can do without spare parts; after all, OEMs are supposed to keep stock of spares, right? No. Not years - decades - after sending out the EoL notice.

As an aside, I probably have one of the largest concentrations of Motorola pSOS hardware in the world in my shed (that is, the office next door) - my employer used a LOT of pSOS kit in the nineties, and as the platform became obsolete, noone thought to preserve a supply of spare parts; I quite literally dumpster-dived to reclaim whatever I could which warehouse staff had been told to get rid of.

Still happens every now and then that a customer asks for pSOS thingies. I really should get myself a stuffed dodo to put on the shelf next to the Motorola boxes...

I wouldn't be surprised if some traffic-related agency was using Windows98, I've seen everything from supermarkets and grocery stores to banks and post offices using Windows98 here (Brazil).
I work for a healthcare organization with 100,000+ employees serving a population of just over 4.2 million. I went from XP to Windows 7 last month.
One of the regions in Denmark is migrating from Windows XP to Windows 7 and the to Windows 10. They have yet to provide a good reason for not just skipping Windows 7
Those decisions are often hard to understand although there may be a specific reason once you ask.

I just saw a system that used Java applets. Java applets are outdated so they rewrote it in ...drumroll... Flash.

I believe I saw in a mass email regarding the upgrade that part of the problem is the organization has to support nearly 1200 pieces of software. I don't envy the IT people.
When you have a complex system with very specific characteristics you can't upgrade that easily. We have machines with Windows 2000 and XP in the lab that do what they need to very well. Every new Windows version adds new restrictions so an upgrade would most likely require a rewrite of the code. It's not that easy.

I can imagine there are plenty of systems still on DOS.

I keep a winxp vm around for some old games. Many of the download links at https://support.microsoft.com/en-us/help/4025687/microsoft-s... , especially in table parts 2 and 3 for winxp go to 404 pages. Also, ie for winxp does not seem to be able to even open the windows update website any more. Any tips?
Just download it normally and move it to your VM through network share or whatever.
Have you tried manually installing SP3 first? I remember an old PC I had to troubleshoot wouldn't install anything else until I had that.
I tried to install Xp in a VM a few weeks ago to see if I could run a few old games. The iso I had was for XP Sp2, and I couldn't find a download link for the Sp3 installer on the whole Microsoft site. Links from search engines become "the file is no longer available" or something similar
Yeah, I'm sure it has SP3, and I think also all the regularly issued windows updates up until EOL. Anyways, it looks like more updates are coming online now. Perhaps they published the links before publishing the linked pages.
I can't help but feel that Microsoft providing these security updates long past XP's stated EOL date will only decrease security in the long run. After all, if any "big enough" vulnerability results in getting a patch anyways, why upgrade/firewall that old XP system running your equipment? And I'd bet that people will expect the same treatment for Windows 7, too.

People never learn when disaster is narrowly averted. People learn when their decisions mean everything is on fire.

Anyone still using XP at this point is obviously not planning to upgrade to a new OS in the first place. I'm certain there are virtually no XP users who would have been swayed to finally upgrade by these specific security patches being withheld.
Maybe not from security patches being withheld, but I'd bet that Britain's NHS has done something to improve security following their encounter with WannaCry - and I know my university's hospital system did.
Imagine if you will a hospital system say, the VA, which owns a number of MRI machines, x-ray equipment, or similar which runs Windows XP. Now imagine that these machines were built by a company that was acquired and dismantled and therefore can no longer provide updates. Now imagine that these machines are connected to the local network behind the firewall, but can not be air gapped... for reasons. These machines work just fine, other than having an old OS. Should they get scrapped?
I'd say yes, especially if they're not getting security updates and are connected to the rest of the network.

Honestly, the cost of it getting broken into seems to be significantly higher than the cost of upgrading the systems.

The problem is getting the funding for such a thing approved when it's not already stipulated in the contract from the start. "Who cares if it's EoL at Microsoft? Is it broken? Will it break when they put it in EoL status? Alright then - leave them be."
> Honestly, the cost of it getting broken into seems to be significantly higher than the cost of upgrading the systems.

We don't necessarily know what the costs of "getting broken into" are. It depends on who you are and what the breakin does. It could only cost the time it takes for IT to restore a backup and plug the hole. I mean, yeah, if you suffer a spectacular ransomware attack and are screwed so badly that you must pay the ransom and everyone finds out, that's probably more expensive than updating. But that's not the only threat or even the most likely threat your organization may contend with.

We also don't necessarily know what the costs of updating are. If you're just doing boring office stuff, the costs are low and you should just fork over the money to Microsoft and get it over with. If you need to update a bunch of custom drivers for some devices that are important to your business because the device manufacturer went out of business, that could be a vastly expensive software development project that your organization can't afford to do. Certainly that costs a lot more than having Bob in IT rewind the tapes when Russian hackers get ransomware past the firewall.

>Should they get scrapped?

Of cause not, but the hospital knew that the Windows XP running their multi-million dollar scanners would be end-of-life before the scanner it self. They should have required that the software be placed in escrow for the life time of the scanner, so that other parties could do any needed updates, if the supplier failed to do so.

I'm sorry, I get that you can't throw away expensive hardware, just because Microsoft no longer patch that version of Windows required to run the software but: EVERYONE knew that the hardware would be in use beyond end of life date for the operating system. So why isn't that included in contracts and support plans? Do banks and hospitals even care enough to ask how the supplier plans to deal with an EOL operating system?

> They should have required that the software be placed in escrow for the life time of the scanner, so that other parties could do any needed updates, if the supplier failed to do so.

People do that?

I've worked on software for large pharma companies and several of our customers required escrow agreements. In our case it was to protect against us going under rather than just not wanting to do updates any more.
If you're big enough, you can negotiate any contract you want.

And "if company ceases to maintain and release updates to product, we will receive the source code for our use" doesn't sound like too poison of a pill for Sales to push through.

All the time, particularly for either very big contracts, or where a large customer is buying from a small supplier who they consider too much of a risk without it
> So why isn't that included in contracts and support plans? Do banks and hospitals even care enough to ask how the supplier plans to deal with an EOL operating system?

Well, maybe there's more to a complex organization like a bank or hospital than software licensing. Maybe their service contracts had these exact contingencies but they've run into other problems that nobody could have predicted when XP was new, like:

* That there would be a Great Recession that would wipe out a lot of firms, including banks, hospitals and medical device manufacturers.

* That there would be a massive new piece of legislation that would tax medical devices heavily, thus changing the way that market works.

* That the same piece of legislation would encourage hospitals to merge into each other through various incentives that were intended to limit the cost of healthcare.

* That Microsoft would decide to break backward compatibility sharply compared to what they did before. Don't laugh at this one; they were business for nearly 30 years when XP came out and never broke backwards compatibility as much as they did in the past 10.

My understanding is actually that in some cases, it's actually even prohibited to update some devices' software. From my understanding, the FDA approves/certifies the software image that controls some radiation-emitting hardware (like X-ray machines), and it can be in some cases unlawful to modify it.
If the actual X-ray machine itself is running Windows XP...

I suddenly feel less good about my next dentist appointment.

There's a sci-fi plot: AI creates malware that infects MRI machines running Windows and uses it to reprogram humans.

Plot twist: this has already been going on for decades.

Nobody expected a Windows release to completely trash hardware driver backward compatibility the way Vista did.

The fact that people are trapped on XP is Microsoft's fault. Because some manager in Microsoft decided that getting the upgrade numbers up by breaking hardware drivers was a good idea, you have a security nightmare decades on.

seems like a false choice. why couldn't i understand what functions these machines exactly needed and then put a small linux box between them and the network which monitors all incoming/outgoing traffic and only allows allow-list items to pass on to the ancient XP device.
Here's two guesses:

1. Well, maybe you could do that with your abundance of skill and time, but not everyone running a hospital/bank/other-large-organization has the time or budget to slap together and maintain that kind of amateur hour rope-and-tin cans proxy shit.

2. Not everything people use a computer for happens over a network. Some people write software because they need to communicate directly with hardware devices. You can’t intercept network traffic when there is no network traffic to intercept.

1. Seems like a business opportunity.

2. I believe we're talking about network accessible devices here. Otherwise why would parent make comment about air-gapping infeasible?

1. Not really. I mean, at some point, if you're going to do it properly, it'll cost money. Unless you can reliably do this for less than or equal to what the hospital is willing to pay, there's no business. "Less than or equal to" is probably not going to be enough money to fix the problem if they already decided not to just try this "just put a linux machine in front" idea.

2. The parent mentioned networking, but networking is not the only threat vector that must be accounted for. Malware can spread through removable media, and most organizations outside of the military or federal government simply don't have the sort of security policies in place to prevent that. So the unpatched vulnerabilities people are talking about can still be exploited even without the network stack doing anything.

If there where a requirement by the hospital that they have access to the source for everything this would just be a matter of hiring a consultant.
Isn't it the case that some organizations do have negotiated access to the Windows source code?
Maybe, it's also true that 100% of Linux users legally have access to the Linux source code.
Governments sure. For vetting purposes supposedly.

Private organisations/companies? Less likely. Would they even have the ability to do a build from the source code?

"Supposedly"

Thanks for that one, I didn't put those together before.

'Just hiring a consultant' to rewrite the software for medical equipment, really? For all our sakes, please never go into the medical industry.
Absolutely.

It's the only way that large institutions will come to properly value the security trade-offs of their decision to buy closed-source, proprietary systems.

Why should the VA get to externalize part of their purchasing decision on to Microsoft?

What do you want health systems to do here? They can only buy FDA approved devices. If there aren't any that run linux that are approved, then they can't buy or use them. Want to change that? Go write a bunch of drivers and DICOM related software for CentOS, then start a device company, then build a device, then wait 10 years for it to get approved, then sell it. And while you're doing all of that, remember to stay ahead of the competition and not run out of cash.

These devices run embedded Windows because they all always have. There's almost no competitive advantage in changing OS vendors in the space, because it doesn't differentiate the product. Even if a device ran CentOS or whatever, you wouldn't be able to update it significantly without going back to the FDA.

> What do you want health systems to do here?

Lobby to change the market instead of externalizing costs; pool money to change the market instead of externalizing costs; etc.

I'm sick of people defending poor long-term decisions by saying they're short-term efficient. The providers aren't helpless entities these things are just happening to: they chose to go down a route that was expensive long-term, but cheap short-term and now are asking to not have to face the consequences of that. I can guarantee that every single institution facing this concern received a technical report pointing out exactly this issue -- and chose to ignore it so a manager could have a bigger bonus.

Instead of addressing the problem, they're asking to be let off the hook of their poor decision making and laying the groundwork for the same mistake. Continually bailing out such poor decision making isn't prudent.

Why would they ever change if there's no consequence?

This isn't a long-term strategy we can afford to support, so we're obligated to let it blow up in their face.

> pool money to change the market instead of externalizing costs You're going to need to clarify what you mean by that.

>I'm sick of people defending poor long-term decisions by saying they're short-term efficient

I'm not defending poor long term decisions, I'm simply describing the reality of a complex set of intersecting political and business systems. Sure, maybe it would be good to lobby the FDA to change rules about updating embedded software, but what should the new rules look like? How do you make sure new linux drivers for an x-ray machine won't have a buffer overflow or off by 1 error that kills people? It has happened.

I'm not even sure that Linux is definitively the right answer for embedded operating systems for safety critical systems. Do you have any evidence to support that claim, which you seem to be making? I'll be happily persuaded if you can clarify why open source is intrinsically better for long lived embedded systems like this.

And add to that the machines are very expensive and there are laws that make it very difficult/illegal to make unapproved modifications to this equipment.
This is pretty much the answer.

The medical device was validated with a certain version of the OS and any special configuration placed on it. If you change the OS/configuration setup in anyway, you (the manufacturer) have to analyze it for impact and potentially re-validate it. The user cannot make this change This would be a violation of FDA regulation.

Now, the hospital can say that they're going to stop using your equipment until you "fix" it --- many such products are leased, not purchased and they may use the lack of security to break the lease. But that presumes they can get a replacement that works as well, train personnel in it, update the supply chain, storage, incoming inspection, etc. for this new product and any supplies it needs...

It's not as simple as running down to MicroCenter and installing a copy of Windows 10!

From my experience (~5 years working as a PCA in a cardiovascular imaging and catheterisation lab), upgrades to large imaging equipment and such is scheduled throughout the year according to the lease plan, and these companies (i.e. Siemens) work together with the OS providers and know full well when operating systems are scheduled to be upgraded. However you're exactly right, it's got to be left specifically to the Siemens tech who comes out to work on the machine.

(Bit of a moot point in agreement, but thought I'd share my 2c)

Those machines should NEVER have shipped with a closed source OS (that wasn't the responsibility of the manufacture) in the first place.

The fault lies entirely with the manufacturer for not providing a system fit for use/sale.

Using an open-source OS isn't a panacea. If $vendor ships a dynamically linked binary tied to a libc version that shipped in Ubuntu Warty Warthog, your upgrade path is just as broken.
C programmers are a lot cheaper than capable reverse engineers, though.
If that's done then there's at least still the option of trying a more recent version of the library, and if THAT breaks paying someone to write a compatibility wrapper for it.

It would still cost money, but at least there's a legal path forward.

Better still would be having a device that operates on some commodity connectivity using standard protocols (APIs/etc) which can be soft-gaped by a firewall / guard that only lets well formed (or at least expressly authorized) requests in.

The open source OSes do go extremely out of their way to provide and keep userland APIs stable, in many cases modern hardware that would be completely unsupported in XP or some other proprietary OS, and again, if something that used to be depended on somehow falls out of support you're at least actually free to pay someone to add in the support you need.

Thousands of consulting companies would be happy to provide repositories with security fixes and long term support services.
This is (at least partially) true, but it strikes me as whataboutery? Yes, open source vendors can fail to follow good open source/free software principles just as closed-course vendors can, and yes "medical equipment is now mostly open source" is not the end of all progress.
This keeps being repeated. But it doesn't excuse it. Either a machine is kept secure/up to date or it's not connected to the internet. If a hospital feels it can't just disconnect the unsafe machines, well then air gap the whole treatment network.

Perhaps there exists an easier middle ground solution such as somehow putting a safe proxy machine in between the unsafe machine and the internet using a very simple controlled communication to the unsafe machine?

Should they be scrapped? Maybe not. But not just left as they are either.

Most importantly: don't BUY that next MRI if it's approved only for a certain OS version and it's a general purpose OS such as Windows, and it will be connected to the internet. If you DO buy it - calculate with writing it off within the support window for the OS. That will show its true cost.

Further, equipment using general purpose OS'es should stop being approved for one version and automatically qualify for newer versions. Alternatively the approval should not be valid beyond the support window unless the machine is air gapped.

> Either a machine is kept secure/up to date or it's not connected to the internet. If a hospital feels it can't just disconnect the unsafe machines, well then air gap the whole treatment network.

I wonder if it would be feasible to protect them with some dedicated firewall/proxy boxes or plug-in modules which could be cheaply updated (compared to the cost of updating and revalidating the whole machine), supplied by multiple vendors, etc.

Those machines are still the responsibility of the hospital and it's their obligation to update them so that the safety and security of their patients is upheld. Inconvenient things happen and companies are expected to adapt to those situations and respond rather than say "it's not our fault", especially in something as critical as medicine.
In many cases, the hospital updating the system puts the system out of compliance and the device can be unlawful to operate.

They can (sometimes) put in intermediary proxies and the like, but that's not a cheap process.

Do you actually want to be x-rayed by a machine running "just fine" on WinXP and not ever air gapped?
Is it possible this means it was a mistake to buy those systems, because they are not based on open source software?

One objection is that these systems may have been the only ones on offer that met requirements. I think one has to consider collective effects, though: were people prepared to 'irrationally' say "I'm still not buying it, because it's not open source", we would end up with open source MRI machines. Of course that's unlikely to happen at present simply because there is NOT a consensus that open source software is important or even a good thing in this context -- but this argument addresses THIS objection.

That kind of stance happens in some situations, and not currently in this one. I don't think that's an immutable state of affairs. Also, I don't think it's because of the high direct costs of saying "no": refusing to pay kidnappers also has a high direct cost and an analogous collective benefit (I'm not aiming for a hyperbolic moral comparison there, I just picked that because, as an extreme case, it makes the point clear).

Kudos to Microsoft for doing this. Who else in the world is patching 16-year-old code well past it's EOL, for free?
Certainly not the people whose code is much older than 16 years and not simply declared EOL for profit reasons.
Blizzard? Diablo 2 got a patch just this year.

I get what you're saying, it's nice that they're doing this, but it's not really so much a goodness of the heart thing as it is that there is a super critical bug to many versions of Windows and there happen to be enough XP machines around that they're a significant threat. The bugs are big enough and the threat great enough that there's probably less cost in patching than there is in dealing with any of the potential fallout.

That's a mighty big assumption that they're doing it for free. It's very possible they have enterprise customers who paid, and now they're releasing for everybody.

Dunno for sure because I'm not familiar with their practices here. But it's a thing.

It's downloadable for free, right there on the page. You are twisting the meaning of words for no good reason.
I think OP meant that they didn't write the patch for free. Someone paid them to write it, then, once written they gave the patch away to everyone for free
I'm sure you could find some oss projects
I'm sure you can't. You might find open source projects that are older than 16 years, e.g. Linux. But that's not the same.

Nobody is maintaining Linux 2.4, which was released in 2001. Its support only lasted until in 2010 as far as I can tell.

I think NetBSD qualifies for whatever criteria you're trying to express.
In that case, let's compare apples with apples- the final release of XP was in 2008. So we're looking for software released on or before 2001, actively developed until 2008, then on life support since then.

On the other hand, many oss projects have rolling releases, so trying to compare like this is futile, expect for the fact they have been maintained for a very long time.

LaTeX 2e has been around since 1994 and is still the current, maintained version.

I don't remember their name. They're a small RTOS vendor based in San Diego. Maybe 8 years ago, we were using their previous (i.e., not under current development) RTOS, and we hit a bug. We called them up, asking for them to create a fix. My boss mentioned that our support agreement had lapsed (expecting that he would have to send them a check to get them to work on it). They said, "Doesn't matter. We wrote it; we'll fix it."

I would gladly give them credit by name, if I could just remember who they are...

Small price to pay for having dominated the OS market for decades, by forcing OEM's to always only ship their OS...
Sad part is that there will still be owners of WinXP who won't patch their systems.
Because the manufacturer of their embedded system went bust, for example.
Or they just don't patch their systems.
I imagine Microsoft gets a dump truck full of cash to open support up on XP like this. I wonder who paid?
Well, the US government's already paying them to maintain XP to begin with. So the patches already exist internally at Microsoft, and it costs them nothing if they just decide "Hey, this patch is such a big deal, we also want to let everyone else have it". Isn't really gonna change the fact that the US government's still paying them for the work.

And computer security benefits from herd immunity tactics, so it's best to get virus updates in as many hands as possible. It's why Microsoft has never really prevented pirated copies of Windows from getting security updates. They benefit from not having old machines potentially causing problems for newer ones, and even just avoiding the bad PR from massive malware attacks.

For that matter the government may well be dictating the patch release schedule too. And certainly the skeptical among us can wonder what else may be in these patches.
Could be related to the The Shadow Brokers threatening to release a new stash of exploits in June, this time targeting Windows 10.

From their announcement on 2017-05-15 [1]:

> In February Microsoft is missing patch Tuesday. TheShadowBrokers is knowing, Microsoft is missing to be making patches for Eternal exploits.

[..]

In March Microsoft is releasing patch for SMB vulnerabilities. TheShadowBrokers is knowing this is being for Eternal exploits. TheShadowBrokers is still waiting and not releasing.

[..]

In April, 90 days from theequationgroup show and tell, 30 days from Microsoft patch, theshadowbrokers dumps old Linux (auction file) and windows ops disks.

[..]

Eternal exploits is not being ZeroDays. [..] patch was being available for 30 days before theshadowbrokers is releasing dump to public.

[..]

TheShadowBrokers Monthly Data Dump could be being:

web browser, router, handset exploits and tools

select items from newer Ops Disks, including newer exploits for Windows 10

compromised network data from more SWIFT providers and Central banks

compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

More details in June.

Their latest message is from 2017-05-29 [2]:

> Q: What is going to be in the next dump?

> TheShadowBrokers is not deciding yet. Something of value to someone. See theshadowbrokers’ previous posts. The time for “I’ll show you mine if you show me yours first” is being over. Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers’ first. This is being wrong question. Question to be asking “Can my organization afford not to be first to get access to theshadowbrokers dumps?”

[1] https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy...

[2] https://steemit.com/shadowbrokers/@theshadowbrokers/theshado...

What the hell is with all those present progressive forms?
Has been discussed on HN at length in the respective threads. Some people believe it's to make language analysis harder.
Why is nobody punishing the responsible nation states? I think the nation states who have such irresponsible intelligence agencies should pay every last dime of Microsoft's patching efforts and the damages the hacks and leaks cause.
Well it's a combination of the us and Russia in this case.
If we are talking malware being leaked or escaping to the wild, it's more like the US, Israel and maybe some not-yet-caught European states cooperating with them.
> Why is nobody punishing the responsible nation states?

Because the nation-states involved are legally immune, because of sovereignty and sovereign immunity, and rather resistant to other forms of coercion because of substantial economic power, conventional military forces, and nuclear weapons.

Nation-states are the law. Punishing a nation-state means going to war.