Microsoft has underlined the importance of keeping software up to date by confirming that no supported versions of its software are vulnerable to leaked NSA hacking tools.
None of the hacking tools allegedly stolen from the US National Security Agency by the Shadow Brokers hacking group work against supported versions of Windows, claims Microsoft.
According to the software firm, it released automatic security updates for all supported versions of the Windows operating system before the hacking group published details of the tools on 14 April 2017.
“Our engineers have investigated the disclosed exploits, and most of the exploits are already patched,” said Microsoft in a blog post.
The software company confirmed that patches had been issued for the following exploits: EternalBlue; EmeraldThread; EternalChampion; ErraticGopher; EsikmoRoll; EternalRomance; EducatedScholar; EternalSynergy and EclipsedWing.
“Of the three remaining exploits, ‘EnglishmanDentist’, ‘EsteemAudit’ and ‘ExplodingCan’, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk”, said Microsoft.
Security advisors have joined Microsoft in encouraging all Windows users to upgrade to supported versions of the operating system and to ensure that all available security patches have been applied.
Many businesses still have older versions of Microsoft operating systems such as Windows XP and Windows Server 2003 on their networks that are vulnerable to attack because they are no longer receiving security updates.
Leo Taddeo, chief security officer of Cryptzone said that while disclosure is important, knowing about the vulnerabilities is not nearly enough.
“According to the 2016 Verizon Data Breach Investigations Report, most successful attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years.
“So while it’s important that Microsoft publicly disclosed the vulnerabilities and issued a patch, the challenge for enterprises is to update their infrastructure with the latest supported version of the affected products,” he said.
No details provided over hacking knowledge
Phillip Misner, principal security group manager at the Microsoft Security Response Center, provided no details of how Microsoft became aware of the hacking tools ahead of their publication.
He said only that Microsoft has long supported coordinated vulnerability disclosure as the “most effective” means to keeping software secure.
“This collaborative approach enables us to fully understand an issue and to deliver protection before customers are at risk due to public disclosure of attack methods.
“We work closely with security researchers worldwide who privately report concerns to us at firstname.lastname@example.org. We also offer bug bounties for many reported vulnerabilities to help encourage researchers to disclose responsibly,” said Misner.