Sergey Nivens - Fotolia
A new report suggests the NSA did disclose details of the EternalBlue flaw to Microsoft, but experts question how the vulnerability remediation process was handled and if the patches were delayed unnecessarily.
The timing of EternalBlue has raised questions for experts because Microsoft made history by cancelling Patch Tuesday in February then released the fixes for the EternalBlue flaws in a March 2017 Patch Tuesday bulletin about one month before the Shadow Brokers unlocked the full details of the EternalBlue exploit.
When the Shadow Brokers released those details, Microsoft claimed that "other than reporters, no individual or organization has contacted us in relation to the materials released by the Shadow Brokers," but also acknowledged certain cases where it would not reveal the source of a disclosure.
However, according to The Washington Post, the NSA disclosed the EternalBlue exploit details to Microsoft in August 2016. And, separate analysis of the out-of-band patches released in the aftermath of WannaCry showed that Microsoft had created the fixes for legacy systems in February 2017.
Jeremiah Grossman, chief of security strategy at SentinelOne, suggested that Microsoft may have made the patches for supported and unsupported systems all at once as part of routine vulnerability remediation.
"It's possible Microsoft had patches ready for unsupported systems at the same time as the supported systems, because the code between them was identical," Grossman told SearchSecurity. "And if not, Microsoft knew the vulnerability was remotely exploitable and wormable, so in an abundance of caution, they had it at the ready in case something happened -- it did."
Jonathan Cran, vice president of product at Bugcrowd, said Microsoft may have been "following standard policy in a nonstandard situation [by] only releasing out-of-band patches for exploitation in the wild."
"By the time WannaCry hit, it was much too late for anyone still running XP. Microsoft would have known that this was a wormable vulnerability, much like Blaster and Sasser in the early 2000s, and could have taken steps to release a patch and an advisory to out-of-support customers earlier," Cran told SearchSecurity. "While these out-of-support systems are privately owned, and no longer paying customers, their state does affect the health of everyone, and the policy needs to be adjusted for potentially wormable vulnerabilities."
Aviv Grafi, CTO of Votiro, said that by not completing the vulnerability remediation for legacy systems when the patch was ready, "Microsoft decided to put its users at risk, as opposed to providing them with the security patches as soon as possible."
"The community understands that unsupported systems cannot get any regular updates, but in this case Microsoft was well aware that XP and Server 2003 were in use in most critical infrastructure organizations and these are the organizations that are in charge of most of public services," Grafi told SearchSecurity. "This is clearly not what is expected from the market leader that is responsible for 90% of the operating systems in the world."
Microsoft did not respond to questions about the timing of the EternalBlue patches, but said in a statement, "Those who are running our free antivirus software or have Windows Update enabled are protected. Given the potential impact to customers and their businesses, we have also released updates for Windows XP, Windows 8, and Windows Server 2003."
That risk appears to extend beyond the massive WannaCry ransomware threat as well. Gil Barak, CTO and co-founder at incident response firm Secdo, said his firm found "at least three different groups" exploiting the Windows Server Message Block (SMB) v1 flaw used in EternalBlue.
"We have found evidence of much more sophisticated actors leveraging the NSA EternalBlue exploit to infect, install backdoors and exfiltrate user credentials in networks around the world, including the U.S., three weeks prior to the WannaCry attack," Barak wrote in a blog post. "These attacks might pose a much bigger risk than WannaCry. Even if companies were able to block WannaCry and patch the SMB Windows exploit, a backdoor may persist and compromised credentials may be used to regain access."
NSA vulnerability remediation
According to The Washington Post, not only did the NSA disclose details of the EternalBlue exploit to Microsoft in August 2016, but U.S. government agencies and military branches began vulnerability remediation against the SMB flaw in 2014.
Mounir Hahad, senior director at Cyphort Labs, criticized the government for protecting itself but leaving the public at risk.
"It's a fine balancing act to develop offensive capabilities while protecting our own infrastructure. If we know of a vulnerability, we have to assume the opposite side knows about it too. Protecting government and military equipment against a vulnerability and leaving the rest of us vulnerable is a shortsighted strategy: Threat actors seeking to spy on us will compromise government officials and military brass through their private computers or their kids' laptops," Hahad told SearchSecurity. "Disclosure of vulnerabilities in my opinion remains the best strategy and let's offensive capabilities be developed using other methods."
Denelle Dixon, chief legal and business officer at Mozilla, said the government needs better disclosure policies, such as the newly introduced PATCH Act.
"The EternalBlue exploit has once again starkly demonstrated the risks to users that can occur when the government withholds vulnerabilities from affected companies," Dixon told SearchSecurity. "The government needs a process that ensures the relevant actors from across the government are around the table, taking all of the interests and risks into account, and with enough transparency and oversight to make sure they're coming to the right decisions."
Cran said any government vulnerability remediation and disclosure process needs to have public safety as the priority.
"Our intelligence agencies must have capabilities to perform their mission without endangering the public," Cran said. "As soon as the cache was suspected or discovered to be compromised -- in any form -- it should be disclosed to the vendor to be addressed, keeping with vulnerability disclosure norms."
Learn five tips for creating a patch management strategy.
Find out how the NSA tries to balance offense and defense in its vulnerability disclosure policy.
Get info on the business case for automated patch management tools.