Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.
When a potential vulnerability is reported to Microsoft, either from an internal or external source, the Microsoft Security Response Center (MSRC) kicks off an immediate and thorough investigation. We work to swiftly validate the claim and make sure legitimate, unresolved vulnerabilities that put customers at risk are fixed. Once validated, engineering teams prioritize fixing the reported issue as soon as possible, taking into consideration the time to fix it across any impacted product or service, as well as versions, the potential threat to customers, and the likelihood of exploitation.
Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.
|“EternalBlue”||Addressed by MS17-010|
|“EmeraldThread”||Addressed by MS10-061|
|“EternalChampion”||Addressed by MS17-010|
|“ErraticGopher”||Addressed prior to the release of Windows Vista. CVE-2017-8461|
|“EsikmoRoll”||Addressed by MS14-068|
|“EternalRomance”||Addressed by MS17-010|
|“EducatedScholar”||Addressed by MS09-050|
|“EternalSynergy”||Addressed by MS17-010|
|“EclipsedWing”||Addressed by MS08-067|
Of the three remaining exploits, “EnglishmanDentist”(CVE-2017-8487), “EsteemAudit” CVE-2017-0176), and “ExplodingCan” (CVE-2017-7269), none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.
We have long supported coordinated vulnerability disclosure as the most effective means to ensure customers and the computing ecosystem remains protected. This collaborative approach enables us to fully understand an issue and to deliver protection before customers are at risk due to public disclosure of attack methods. We work closely with security researchers worldwide who privately report concerns to us at email@example.com. We also offer bug bounties for many reported vulnerabilities to help encourage researchers to disclose responsibly.
Principal Security Group Manager
Microsoft Security Response Center
Update June 13, 2017: Updates were made to this blog today in order to provide CVE numbers for additional updates released as part of June 2017 Update Tuesday release. For more information on this release, visit the MSRC blog “June 2017 security update release.”