Earlier this year "The Shadow Brokers" -- an entity claiming to have stolen hacking tools from the NSA then offering them for sale -- seemed to pack up shop, but the group has continued on. Today, it made a new post that contained a number of working exploits for Windows machines running everything from XP up to at least Windows 8. As far as Windows 10, it appears that the stolen data is from 2013 and predates the latest OS. As such, it isn't immediately apparent if it's vulnerable, but early results indicate at least some of the tools aren't working on it.
Update (4/15): Microsoft responded early Saturday morning, saying that for the seven flaws leaked that affect supported systems -- they've all already been patched. Of course, the story gets a bit more interesting from there, since it appears that four of them were only patched just last month, suggesting someone informed the company about the security issues before TSB could leak them.
This is really bad, in about an hour or so any attacker can download simple toolkit to hack into Microsoft based computers around the globe.— Hacker Fantastic (@hackerfantastic) April 14, 2017
WINDOWS 10 does not appear impacted by ETERNALBLUE or ETERNAL exploit series in my lab test.— Hacker Fantastic (@hackerfantastic) April 14, 2017
Releasing this information ahead of a holiday weekend may make it harder for Microsoft and IT workers to respond, as anyone with bad intentions now has access to a number of previously unknown exploits. As security researchers like Matthew Hickey (aka @hackerfantastic) scan through tools with names like ETERNALBLUE (a remote exploit for XP and above) and FUZZBUNCH (a framework that helps control use of the other attacks), Marcy Wheeler notes that the NSA has known these tools were out there since January, when The Shadow Brokers listed them for sale.
Lost in Translation — Steemit https://t.co/OH5UexWJsG enjoy!— theshadowbrokers (@shadowbrokerss) April 14, 2017
For now, the response from a Microsoft spokesperson is that "We are reviewing the report and will take the necessary actions to protect our customers."
So what is there to do if you're not a network admin and just use a Windows computer, whether at work or at home? In a quote to Motherboard, one hacker said to have formerly worked for the Department of Defense says plainly that "It's not safe to run an internet-facing Windows box right now."
Of course, your PC is -- or should be -- behind a router/firewall. I spoke to Travis Smith, a Senior Security Research Engineer at Tripwire, and he explained that for the tools released, they largely rely on local network protocols that attackers use to move from one compromised PC to others across a network. As he put it "even if you aren't running the latest greatest operating system and you don't have antivirus, if your Windows laptop isn't plugged directly into the internet, then your risk profile greatly diminishes." If you do have an antivirus, like Microsoft's Windows Defender, or products from McAfee, Kaspersky and the like, they should update quickly to recognize these executables now that they're known.
Contacted via email, Matthew Hickey expressed a similar outlook, saying that "most home users will not be directly impacted by these vulnerabilities as an attacker needs to connect to services on their computer. The risk is much bigger to enterprise and businesses who rely on these services to connect online."
@GossiTheDog You are people, Kev!— Ned Pyle (@NerdPyle) April 14, 2017
Worth noting that every version of Windows since Vista has SMB server svc blocked inbound by firewall by default also
For folks at home, this isn't a big deal. Install the Windows Updates when Windows Update says "install me!". But you should do that anyway.— Pwn All The Things (@pwnallthethings) April 14, 2017
@JukesSitus No SMB, no remote desktop, and not sure if that's enough. These should not be reachable from Internet, but could rip through institutions.— Nicholas Weaver (@ncweaver) April 14, 2017