This article is from the source 'washpo' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.washingtonpost.com/national-security/nsa-found-a-dangerous-microsoft-software-flaw-and-alerted-the-firm--rather-than-weaponize-it/2020/01/14/f024c926-3679-11ea-bb7b-265f4554af6d_story.html

The article has changed 7 times. There is an RSS feed of changes available.

Version 1 Version 2
NSA found a dangerous Microsoft software flaw and alerted the firm — rather than weaponize it NSA found a dangerous Microsoft software flaw and alerted the firm — rather than weaponize it
(about 1 hour later)
The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches or surveillance — and alerted the firm of the problem rather than turn it into a hacking weapon, according to people familiar with the matter.The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches or surveillance — and alerted the firm of the problem rather than turn it into a hacking weapon, according to people familiar with the matter.
The disclosure represents a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks, according to the people, who spoke on the condition of anonymity because of the sensitivity of the matter.The disclosure represents a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks, according to the people, who spoke on the condition of anonymity because of the sensitivity of the matter.
Microsoft plans to issue a patch for the flaw on Tuesday, the individuals said.Microsoft plans to issue a patch for the flaw on Tuesday, the individuals said.
“Big kudos to NSA for voluntarily disclosing to Microsoft,” said computer security expert Dmitri Alperovitch in a tweet Tuesday morning. “This is the type of [vulnerability] I am sure the [NSA hackers] would have loved to use for years to come.”“Big kudos to NSA for voluntarily disclosing to Microsoft,” said computer security expert Dmitri Alperovitch in a tweet Tuesday morning. “This is the type of [vulnerability] I am sure the [NSA hackers] would have loved to use for years to come.”
NSA officials worried about the day its potent hacking tool would get loose. Then it did.NSA officials worried about the day its potent hacking tool would get loose. Then it did.
The vulnerability — essentially a mistake in the computer code — affects the Windows 10 operating system, the most widely used today, according to the people who were briefed on the matter.The vulnerability — essentially a mistake in the computer code — affects the Windows 10 operating system, the most widely used today, according to the people who were briefed on the matter.
The discovery has been likened to a slightly less severe version of the Microsoft flaw that the NSA once weaponized by creating a hacking tool dubbed EternalBlue, which one former agency hacker said was like “fishing with dynamite.”The discovery has been likened to a slightly less severe version of the Microsoft flaw that the NSA once weaponized by creating a hacking tool dubbed EternalBlue, which one former agency hacker said was like “fishing with dynamite.”
Microsoft declined to comment.Microsoft declined to comment.
The NSA used EternalBlue for more than five years, but when it learned that the tool had been obtained by others, it alerted Microsoft, which issued a patch in early 2017. About a month later, Shadow Brokers, a suspected Russian hacking group, released the NSA tool online.The NSA used EternalBlue for more than five years, but when it learned that the tool had been obtained by others, it alerted Microsoft, which issued a patch in early 2017. About a month later, Shadow Brokers, a suspected Russian hacking group, released the NSA tool online.
Malicious hackers turned it to their own purposes, launching massive ransomware campaigns such as the one dubbed WannaCry, which created global havoc and costly damage to businesses and other organizations.Malicious hackers turned it to their own purposes, launching massive ransomware campaigns such as the one dubbed WannaCry, which created global havoc and costly damage to businesses and other organizations.
EternalBlue worked on all Windows systems, not just one, which made it so potent. The flaw the NSA just uncovered would be useful to hackers seeking to break into some computers running Windows 10, which is used in a majority of companies and organizations.EternalBlue worked on all Windows systems, not just one, which made it so potent. The flaw the NSA just uncovered would be useful to hackers seeking to break into some computers running Windows 10, which is used in a majority of companies and organizations.
Anne Neuberger, the director of the NSA’s Cybersecurity Directorate, which was launched in October, is expected to announce Tuesday the agency’s discovery of the flaw and its warning to Microsoft.Anne Neuberger, the director of the NSA’s Cybersecurity Directorate, which was launched in October, is expected to announce Tuesday the agency’s discovery of the flaw and its warning to Microsoft.
Companies like Microsoft and Adobe use digital signatures to stamp software as authentic. This helps to prevent malware infections that might try to disguise themselves as legitimate. The NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer.Companies like Microsoft and Adobe use digital signatures to stamp software as authentic. This helps to prevent malware infections that might try to disguise themselves as legitimate. The NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer.
“Code-signing is one of the most effective tools we have to keep malicious software off of computers,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University.“Code-signing is one of the most effective tools we have to keep malicious software off of computers,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University.
If the flaw is patched quickly, it’s not that dangerous, he added. “If a lot of people don’t patch, it could be a disaster.”If the flaw is patched quickly, it’s not that dangerous, he added. “If a lot of people don’t patch, it could be a disaster.”
In a call with experts Tuesday morning, the NSA said that Microsoft will report that it has seen no active exploitation of the flaw, one of the people on the briefing said. Microsoft has reported that it has seen no active exploitation of the flaw.
Microsoft’s plan to issue a fix for the vulnerability was first reported Monday in the KrebsOnSecurity blog.