Microsoft Mysteriously Fixed Security Gaps Allegedly Used by US Spies a Month Before They Leaked

On Friday, a cache of hacking tools allegedly developed by the National Security Agency was dumped online.

The news was explosive in the digital security community because the tools contained methods to hack computers running Windows, meaning millions of machines could be at risk. Security experts who tested the tools, leaked by a group called the Shadow Brokers, found they worked. They were panicked:

This is really bad, in about an hour or so any attacker can download simple toolkit to hack into Microsoft based computers around the globe.

— Hacker Fantastic (@hackerfantastic) April 14, 2017

But just hours later, Microsoft announced many of the vulnerabilities were addressed in a security update released a month ago.

“Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers,” Philip Misner, a Microsoft executive in charge of security, wrote in a blog post. “Our engineers have investigated the disclosed exploits, and most of the exploits are already patched.”

Misner’s post showed three of nine vulnerabilities from the leak were fixed in a March 14 security update. Security commentators were bamboozled. As Ars Technica pointed out, when security holes are discovered, the individual or organization that found them is usually credited in the notes explaining the update. No such acknowledgment was found in the March 14 update. Here’s a list of acknowledgments for 2017, showing credit for finding security problems in almost every update.

One theory among security practitioners is that NSA itself reported the vulnerabilities to Microsoft, knowing the tools would be dumped publicly. Microsoft told ZDNet it might not list individuals who discover flaws for a number of reasons, including by request from the discoverer.

The federal government has not commented on this leak, though previous leaks by the Shadow Brokers claiming to be NSA hacking tools were confirmed at least in part by affected vendors and NSA whistleblower Edward Snowden.

The other big revelation from the Shadow Brokers dump is the claim NSA infiltrated the SWIFT banking network through a firm called EastNets in Dubai. EastNets has said it has found no evidence its systems were compromised. The Shadow Brokers’ leak suggests NSA has “implanted” malware in 16 Middle Eastern banks and other financial firms to collect data. Such a set up could have allowed NSA to secretly monitor money flows in the region, Wired reported.

For ordinary internet users, it can be hard to decide between heaving a sigh of relief the security holes have been filled, or feeling even more paranoid these holes existed in the first place.