Zero-Day Vulnerabilities against Windows in the NSA Tools Released by the Shadow Brokers

In April, the Shadow Brokers -- presumably Russia -- released a batch of Windows exploits from what is presumably the NSA. Included in that release were eight different Windows vulnerabilities. Given a presumed theft date of the data as sometime between 2012 and 2013 -- based on timestamps of the documents and the limited Windows 8 support of the tools:

  • Three were already patched by Microsoft. That is, they were not zero days, and could only be used against unpatched targets. They are EMERALDTHREAD, EDUCATEDSCHOLAR, and ECLIPSEDWING.

  • One was discovered to have been used in the wild and patched in 2014: ESKIMOROLL.

  • Four were only patched when the NSA informed Microsoft about them in early 2017: ETERNALBLUE, ETERNALSYNERGY, ETERNALROMANCE, and ETERNALCHAMPION.

So of the five serious zero-day vulnerabilities against Windows in the NSA's pocket, four were never independently discovered. This isn't new news, but I haven't seen this summary before.

Posted on July 28, 2017 at 6:16 AM • 15 Comments

Comments

AlanJuly 28, 2017 6:29 AM

I guess this is some evidence though that Microsoft does not deliberately create backdoors for the NSA

Santa ClausJuly 28, 2017 6:59 AM

"four were never independently discovered"

"at least four were never independently announced" would be more correct - we don't know they weren't discovered...

AndrewJuly 28, 2017 8:42 AM

"So of the five serious zero-day vulnerabilities ...four were never independently discovered"
This because NSA vulnerabilities finding team is better than the rest of the world, combined.

WhiskersInMenloJuly 28, 2017 9:54 AM

The Russian link speculation is interesting. Given the global footprint of Windows how does Russia get interesting bugs fixed so their WindowZ systems are secure. How does a nation state that makes money from cyber criminal cash flow maintain the cash flow?

Some bugs can be easy to audit and also be defended against exploit by firewalls or system admin tricks. Some of these easy to defend flaws are also easy to exploit and for citizens at home are trouble. We turn telnet off for reasons yet there was an ssh bug so bad a couple decades ago that telnet was safer. Note telnet itself is not a bug...

Fixing bugs and constraining "features" seems important at many levels.

AnonJuly 28, 2017 10:41 AM

@Andrew:
"This because NSA vulnerabilities finding team is better than the rest of the world, combined."
To make that assessment, we'd need one other number - how many similar exploits were patched in that time period that the NSA did not find. The fact that "NSA found exploits" are not a subset of "known exploits", is hardly surprising.

CzernoJuly 28, 2017 11:45 AM

All 8 exploit names start with an initial letter-E. Is that encoding something about individual NSA exploits, perhaps their date, category, ... ? Was this seen in earlier disclosed samples of NSA malware ? Here I'm assuming the names are as originated by the NSA.

PhJuly 28, 2017 2:10 PM

Chances that the Shadowbrokers are nation state actors decreases every month they keep up their monthly paid subscriptions in my opinion.

Santa ClausJuly 28, 2017 2:32 PM

even if we assume nsa found 4 that were not announced what if the Israelis found 6 or 8? Or the Russians found 7? Or the Chinese found 9? and none were ever announced...

Govt Source Code Access - NOT just the NSAJuly 28, 2017 3:01 PM

@Andrew:
'This because NSA vulnerabilities finding team is better than the rest of the world, combined.'

Power of Rulers
Maybe its because The NSA gets the source code. Same too for other nation states.
Several years ago China demanded access to modify Windows code as a condition of Microsoft doing business in the country.
Now think who is friends with Russia??? Its NOT just the NSA.

Not Just The White House Leaking
Incidentally China is enacting unprecedented and draconian laws to reduce the USA eavesdropping. A high-level Chinese defector claimed 25,000 spies in USA...they too (mostly employees) are also after source code and design docs.

Ross SniderJuly 29, 2017 1:19 AM

"Shadow Brokers -- presumably Russia"

Bruce. Please stop being so irresponsible. I have read and fully understood your opinion piece on why you believe the Shadow Brokers are Russian Intelligence. It's very far from clear that your presumptions are complete, accurate or true. Of course you have free speech and can say whatever you wish, but I do urge you to be responsible about your speech. Your audience should have a clear understanding that it is far from established that the Shadow Brokers are Russian Intelligence. Repeated references to this belief do not make the credulous argument any stronger.

About the content: this seems to be further indication that caches of cyberweapons will be independently discovered on a reasonably short timeline, making them far from NOBUS.

I actually do believe in the NOBUS concept, where there is some kind of trapdoor function in the backdoor (Dual EC for example could only be exploited by Western intelligence, or those who had hacked Western intelligence to the degree it could directly impersonate them by using the private key).

However, in most cases it's not clear how to functionally develop trapdoor protected backdoors outside the field of cryptography.

Gleb OrliogloAugust 12, 2017 1:50 AM

Hello Bruce! Firstly, I want to express my deep respect. My name is Gleb. I live in Moscow Russia. Recently, Russian gives hacker services every day.))) But I'll tell you the truth, I know a little our background ... Well, in most cases, we seem to have nothing more to do. Just let me hack something. I thought for a while over who they are Shadow brockers? And I was visited by the idea that it is likely to be an insider. And these people in this way can be said to save the US national security. Arranging the leakage and opening 0-day exploits -vendors gradually close holes. You Bruce repeatedly wrote that the NSA undermines such a security policy of the USA. And giving out for free NSA exploits - close holes in your security. Such actions can be called patriotic about the USA!

Gleb OrliogloAugust 12, 2017 1:59 AM

It remains only to experts from China to speak out) I think if this is a trace of the goverments, the exploits would remain in the instruments of the special forces allegedly committing an attack. Russian hackers also close 0-dy and sell exploit pack. But free to lay out to no one is profitable!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.