NSA alerts Microsoft to major software flaw
The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system – one that could expose computer users to significant breaches, surveillance or disruption – and alerted the company about the problem rather than turning it into a hacking weapon, officials announced yesterday.
The public disclosure represents a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks.
‘‘This is . . . a change in approach . . . by NSA of working to share, working to lean forward and then working to really share the data as part of building trust,’’ said Anne Neuberger, director of the NSA’s Cybersecurity Directorate, which was launched in October. ‘‘As soon as we learned about [the flaw], we turned it over to Microsoft.’’
Cybersecurity professionals hailed the move.
‘‘Big kudos to NSA for voluntarily disclosing to Microsoft,’’ computer security expert Dmitri Alperovitch said in a tweet. ‘‘This is the type of [vulnerability] I am sure the [NSA hackers] would have loved to use for years to come.’’
The bug – essentially a mistake in the computer code – affects the Windows 10 operating system, the most widely used in government and business today.
Microsoft issued a patch for the flaw yesterday. The company’s plan to issue a fix for the vulnerability was first reported on Tuesday in the KrebsOnSecurity blog.
‘‘A security update was released on January 14, 2020 and customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible,’’ Jeff Jones, senior director at Microsoft, said.
The NSA’s action may help restore the agency’s image, which was tarnished after it lost control of a powerful hacking tool it called EternalBlue. One former agency hacker said using EternalBlue was like ‘‘fishing with dynamite’’ because the intelligence yields were so bountiful.
The NSA built that weapon by exploiting a software flaw in some Microsoft Windows operating systems, and used it for at least five years without telling the company. But when the agency learned that the tool had been obtained by others, it alerted Microsoft, which issued a patch in early 2017. About a month later, Shadow Brokers, a suspected Russian hacking group, released the NSA tool online.
Despite the patch, Russian and North Korean hackers were still able to turn it to their own purposes, launching destructive attacks such as NotPetya and WannaCry that created global havoc and costly damage to businesses and other organisations.
The NSA, which was still recovering from surveillance disclosures by a former agency contractor, suffered a further hit to its reputation. To this day, companies are still grappling with ransomware and intrusions enabled by EternalBlue, though some ransomware attacks have been erroneously linked to the tool.
‘‘Right now [Neuberger’s] trying to rebuild the reputation of NSA’s role in the defence of the nation,’’ said Dickie George, who until 2011 was the agency’s technical director for information assurance. ‘‘You’re trying to build public confidence in the NSA.’’
The bug disclosure is the first major announcement to come from the new directorate, which reflects NSA Director General Paul Nakasone’s desire to enhance the defensive mission of an agency known for its prowess at hacking foreign networks for intelligence.
George, who for years ran an internal NSA process to weigh whether to disclose software vulnerabilities to industry, said the agency informed vendors of flaws in most cases. Many are not significant enough to be considered for use by the agency’s hackers.
He said ‘‘we had given 1500 [bugs] to Microsoft in two years’’ in the early 2000s.
In the past, when the NSA disclosed flaws to companies, ‘‘noone knew we did it.’’
That was partly because the companies did not want to advertise that they were working with the spy agency, he said. – Washington Post