After delaying the release of Windows updates, Microsoft mysteriously released a patch for a group of vulnerabilities addressed by MS17-010 after canceling Patch Tuesday in February. This patch was released immediately before the release of a set of Windows exploits by the Shadow Brokers hacking group. Although Shadow Brokers purports to have stolen these exploits from NSA, there has been no public confirmation of this to date. However, per public reporting, the exploits are thought to date from around 2013.
Microsoft has not disclosed how it came to know about the vulnerabilities included in the MS17-010 patch. Microsoft also has not disclosed any information about “in the wild” exploitation of these vulnerabilities. Both pieces of information are clearly in the public interest and will help shape conversations around the Vulnerabilities Equities Process (VEP).
Microsoft collects telemetry on process and system crashes (crash dumps) and can use these reports to discover vulnerabilities being actively exploited in the wild. Microsoft wrote a blog post about finding MS08-067 using this telemetry. It is completely reasonable to assume that just as Microsoft had telemetry available to perform analysis on MS08-067, they also have telemetry available for MS17-010.
If the tools released by Shadow Brokers are from NSA (as the Shadow Brokers claim), NSA would have known no later than January 8th what exploits the Shadow Brokers had in their possession. The Shadow Brokers released the actual exploits on April 14th. It’s also worth noting that the Shadow Brokers (and possibly other entities) had access to these exploits and may have been using them for some time before they were patched in February.
This whole event poses several questions that are valuable to the public interest and can help drive public policy around the vulnerability equities process. It is fairly certain (and understandable) that NSA will not be releasing information about the exploits patched in MS17-010. However Microsoft has no such national security issues inhibiting such a disclosure.
At Rendition Infosec, we understand the need for nation-states to conduct cyber espionage for legitimate foreign intelligence goals. However, the loss of control over tools leveraged to conduct said cyber espionage should be disclosed to the public at large. Information security practitioners defending the general public are at an extreme disadvantage when they suddenly become exposed to such advanced capabilities.
Call for data from Microsoft
Rendition Infosec also realizes that in the global cyber security community, there is much that Microsoft can help to clarify. Rendition Infosec is publicly calling on Microsoft to share the following details to enhance the understanding of the global security community. If for national security reasons Microsoft cannot release certain parts of this information, we still encourage them to release what they feel they can, in accordance with national security regulations and customer privacy considerations.
- Did Microsoft discover the vulnerabilities patched in MS17-010 or were they notified of the vulnerabilities by a third-party? If reported by a third-party, which third-party organization reported the vulnerabilities?
- When was Microsoft first aware of the vulnerabilities patched in MS17-010?
- Does Microsoft telemetry indicate that the vulnerabilities in MS17-010 were exploited in the wild prior to the Shadow Brokers release of the tools on April 14, 2017?
- If telemetry shows that these vulnerabilities were exploited, is the exploitation consistent with one hacking group or multiple hacking groups?
- If telemetry shows that these vulnerabilities were exploited, did the rate of exploitation accelerate after the first appearance of the Shadow Brokers in 2016?
- If telemetry shows that these vulnerabilities were exploited, did the rate of exploitation accelerate after the dump of exploit file names on January 8, 2017?
What insight will these answers provide?
Some of these questions seem nuanced and to the outside observer might not seem important. But every question that Microsoft is willing to answer will help security professionals understand issues such as:
- What is the lifetime of exploits such as those patched in MS17-010 in the wild?
- Once one attacker finds a vulnerability such as those patched by MS17-010, how likely is it that another attacker will also find and leverage the same vulnerability?
- Once a nation-state attacker loses control of an exploit (as appears to have happened with the Shadow Brokers case), does exploitation of that vulnerability increase?
- Once a nation-state attacker loses control of an exploit is the originally discovering nation-state likely to disclose this to others?
Sign the petition
If you agree with Rendition Infosec that it is in the public interest for Microsoft to release their telemetry re MS17-010, please sign our petition. Rendition will present the petition results to Microsoft when we get 5,000 signatures or in 30 days (whichever comes first).