The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches, surveillance or disruption — and alerted the firm of the problem rather than turn it into a hacking weapon, officials announced Tuesday.
The public disclosure represents a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks.
“This is … a change in approach … by NSA of working to share, working to lean forward, and then working to really share the data as part of building trust,” said Anne Neuberger, director of the NSA’s Cybersecurity Directorate, which was launched in October.
Cyber security professionals hailed the move.
“Big kudos to NSA for voluntarily disclosing to Microsoft,” said computer security expert Dmitri Alperovitch in a tweet Tuesday morning. “This is the type of [vulnerability] I am sure the [NSA hackers] would have loved to use for years to come.”
The bug— essentially a mistake in the computer code — affects the Windows 10 operating system, the most widely used in government and business today.
Microsoft issued a patch for the flaw on Tuesday. The company’s plan to issue a fix for the vulnerability was first reported Monday in the KrebsOnSecurity blog.
“A security update was released on January 14, 2020 and customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible,” said Jeff Jones, senior director at Microsoft, in a statement.
The discovery has been likened to a slightly less severe version of the Microsoft flaw that the NSA once weaponized by creating a hacking tool dubbed EternalBlue, which one former agency hacker said was like “fishing with dynamite.”
The NSA used EternalBlue for more than five years, but when it learned that the tool had been obtained by others, it alerted Microsoft, which issued a patch in early 2017. About a month later, Shadow Brokers, a suspected Russian hacking group, released the NSA tool online.
Malicious hackers turned it to their own purposes, launching massive ransomware campaigns such as the one dubbed WannaCry, which created global havoc and costly damage to businesses and other organizations.
EternalBlue worked on all Windows systems, not just one, which made it so potent. The flaw the NSA uncovered would be useful to hackers seeking to break into some computers running Windows 10.
Companies like Microsoft and Adobe use digital signatures to stamp software as authentic. This helps to prevent malware infections that might try to disguise themselves as legitimate. The NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer.
“Code-signing is one of the most effective tools we have to keep malicious software off of computers,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University.
If the flaw is patched quickly, it’s not that dangerous, he added. “If a lot of people don’t patch, it could be a disaster.”
Microsoft has reported that it has seen no active exploitation of the flaw.
The bug disclosure is the first major announcement to come from the new directorate, which reflects NSA Director Gen. Paul Nakasone’s desire to enhance the defensive mission of an agency known for its prowess at hacking foreign networks for intelligence.