Microsoft has confirmed its latest round of security patches has fixed three remaining vulnerabilities built by the National Security Agency.
The company confirmed to ZDNet that it had reversed course after saying it would not fix the vulnerabilities, which affect only older operating systems that have since been retired, notably Windows XP and Windows Server 2003.
The release comes as the software giant warned of an “elevated risk for destructive cyberattacks” following last month’s ransomware-based cyberattack.
It’s the latest twist in a cat and mouse game between the National Security Agency and Microsoft in recent months, after the intelligence lost control of its arsenal of hacking tools.
An unknown hacker group obtained the cache of tools in one of the biggest breaches of classified files since the Edward Snowden revelations. ‘These tools allowed NSA analysts to break into a range of systems, network equipment, and firewalls, and most recently, Linux servers and a range of Windows operating systems — many of which were old and outdated. The group attempted to auction off the files but failed, and it has been releasing portions of the stolen files in stages.
Microsoft patched most of the flaws in the April update, but left three exploits remaining. The company said that the flaws only affected older versions of Windows, and users should upgrade.
But after last month’s massive WannaCry outbreak which locked thousands of computer with ransomware, Microsoft is patching the rest of the exploits in an effort to avoid a repeat of the ransomware attack.
A spokesperson said that the three Windows exploits — dubbed ENGLISHMANDENTIST, ESTEEMAUDIT, and EXPLODINGCAN (which had also been independently discovered) — are now fixed in June’s security updates.
Jake Williams, founder of Rendition Infosec, a security consultancy group, said that users of older operating systems can likely expect more threats in the future.
“The move by Microsoft to patch these vulnerabilities will be read by many as a signal that there is no real need to update their legacy operating systems. This is the third time Microsoft has updated legacy operating systems (XP) to reduce exposure to vulnerabilities being exploited in the wild,” he said. “Given that Microsoft has never left legacy operating systems exposed to a widely exploited vulnerability, organizations can conclude this behavior will likely continue in the future.”
“But newer versions of the operating system have many built in exploit mitigations that make the attacker’s job dramatically more difficult, even when exploiting a known vulnerability,” he added.
“These vulnerabilities have been known to Microsoft for some time. The timing of the patches suggests that Microsoft has some telemetry indicating an increase in their use in the wild,” he said.
Microsoft said that the decision to patch the flaws was a “rare move,” adding that it “should not be viewed as a departure from our standard servicing policies.”
“Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly,” the company said, but urged users of older operating systems to upgrade as soon as possible.
Microsoft did not outright say that the NSA was behind the exploits targeting Microsoft operating systems, but did confirm that the hacking tools were as a result of “nation-state activity.”
An NSA spokesperson declined to comment.