Given the NSA’s track record with vulnerability disclosures, it’s somewhat of an anomaly when it actually decides the security of millions of innocent computer users is more important than its exploitation of a security flaw. Ellen Nakishima has the details for the Washington Post:
The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches or surveillance — and alerted the firm of the problem rather than turn it into a hacking weapon, according to people familiar with the matter.
The flaw affects Windows 10 users, the largest user base Microsoft currently has. The vulnerability could have been weaponized by the NSA, as so many others have been. The agency has consistently withheld knowledge of vulnerabilities from affected companies until the exploits have outlived their uselessness.
The equity program, meant to ensure companies are notified of serious software flaws, has routinely been ignored by the NSA, leading directly to the EternalBlue cataclysm that saw malicious hackers repurpose the exploit and unleash ransomware attacks on multiple targets around the world.
Microsoft was not happy. It released a long statement decrying the Intelligence Community’s refusal to completely participate in the Vulnerability Equities Process. As ransomware attacks brought multiple critical facilities to their knees, the NSA was justifying its “better way too late than never” approach with statements about the difficulty of developing useful surveillance tools.
It may have been Microsoft’s response to the WannaCry attacks that prompted the NSA’s proactive disclosure of this vulnerability. This security flaw is strikingly similar to the one exploited for years by the NSA — the one that became ransomware once the Shadow Brokers made the vulnerability available to whoever wanted it.
The discovery has been likened to a slightly less severe version of the Microsoft flaw that the NSA once weaponized by creating a hacking tool dubbed EternalBlue, which one former agency hacker said was like “fishing with dynamite.”
Like EternalBlue, the vulnerability disclosed here is “God mode” for malicious hackers and surveillance agencies.
Companies like Microsoft and Adobe use digital signatures to stamp software as authentic. This helps to prevent malware infections that might try to disguise themselves as legitimate. The NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer.
Microsoft’s patch will have been issued by the time you read this. The good news beyond the NSA’s surprise disclosure is that Microsoft has not seen the flaw exploited. Yet. A patch is only as good as the end users’ application of it. That’s somewhat beyond Microsoft’s control but Windows 10 is pretty aggressive about pushing updates, so it shouldn’t take too long to close this hole.
This likely doesn’t signal a large-scale change in the way the IC handles vulnerability disclosure. Exploits and vulnerabilities will continue to be hoarded, even if the potential collateral damage is billions of dollars. After all, billions will be lost by targets of attacks predicated on hoarded vulnerabilities. The NSA won’t lose anything, not even a little sleep.
Permalink | Comments | Email This Story