This article is from the source 'washpo' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.washingtonpost.com/national-security/nsa-found-a-dangerous-microsoft-software-flaw-and-alerted-the-firm--rather-than-weaponize-it/2020/01/14/f024c926-3679-11ea-bb7b-265f4554af6d_story.html

The article has changed 7 times. There is an RSS feed of changes available.

Version 2 Version 3
NSA found a dangerous Microsoft software flaw and alerted the firm — rather than weaponize it NSA found a dangerous Microsoft software flaw and alerted the firm — rather than weaponize it
(about 2 hours later)
The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches or surveillance — and alerted the firm of the problem rather than turn it into a hacking weapon, according to people familiar with the matter. The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches, surveillance or disruption — and alerted the firm of the problem rather than turn it into a hacking weapon, officials announced Tuesday.
The disclosure represents a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks, according to the people, who spoke on the condition of anonymity because of the sensitivity of the matter. The public disclosure represents a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks.
Microsoft plans to issue a patch for the flaw on Tuesday, the individuals said. “This is ... a change in approach ... by NSA of working to share, working to lean forward, and then working to really share the data as part of building trust,” said Anne Neuberger, director of the NSA’s Cybersecurity Directorate, which was launched in October.
Cyber security professionals hailed the move.
“Big kudos to NSA for voluntarily disclosing to Microsoft,” said computer security expert Dmitri Alperovitch in a tweet Tuesday morning. “This is the type of [vulnerability] I am sure the [NSA hackers] would have loved to use for years to come.”“Big kudos to NSA for voluntarily disclosing to Microsoft,” said computer security expert Dmitri Alperovitch in a tweet Tuesday morning. “This is the type of [vulnerability] I am sure the [NSA hackers] would have loved to use for years to come.”
NSA officials worried about the day its potent hacking tool would get loose. Then it did.NSA officials worried about the day its potent hacking tool would get loose. Then it did.
The vulnerability essentially a mistake in the computer code — affects the Windows 10 operating system, the most widely used today, according to the people who were briefed on the matter. The bug— essentially a mistake in the computer code — affects the Windows 10 operating system, the most widely used in government and business today.
Microsoft issued a patch for the flaw on Tuesday. The company’s plan to issue a fix for the vulnerability was first reported Monday in the KrebsOnSecurity blog.
“A security update was released on January 14, 2020 and customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible,” said Jeff Jones, senior director at Microsoft, in a statement.
The discovery has been likened to a slightly less severe version of the Microsoft flaw that the NSA once weaponized by creating a hacking tool dubbed EternalBlue, which one former agency hacker said was like “fishing with dynamite.”The discovery has been likened to a slightly less severe version of the Microsoft flaw that the NSA once weaponized by creating a hacking tool dubbed EternalBlue, which one former agency hacker said was like “fishing with dynamite.”
Microsoft declined to comment.
The NSA used EternalBlue for more than five years, but when it learned that the tool had been obtained by others, it alerted Microsoft, which issued a patch in early 2017. About a month later, Shadow Brokers, a suspected Russian hacking group, released the NSA tool online.The NSA used EternalBlue for more than five years, but when it learned that the tool had been obtained by others, it alerted Microsoft, which issued a patch in early 2017. About a month later, Shadow Brokers, a suspected Russian hacking group, released the NSA tool online.
Malicious hackers turned it to their own purposes, launching massive ransomware campaigns such as the one dubbed WannaCry, which created global havoc and costly damage to businesses and other organizations.Malicious hackers turned it to their own purposes, launching massive ransomware campaigns such as the one dubbed WannaCry, which created global havoc and costly damage to businesses and other organizations.
EternalBlue worked on all Windows systems, not just one, which made it so potent. The flaw the NSA just uncovered would be useful to hackers seeking to break into some computers running Windows 10, which is used in a majority of companies and organizations. EternalBlue worked on all Windows systems, not just one, which made it so potent. The flaw the NSA uncovered would be useful to hackers seeking to break into some computers running Windows 10.
Anne Neuberger, the director of the NSA’s Cybersecurity Directorate, which was launched in October, is expected to announce Tuesday the agency’s discovery of the flaw and its warning to Microsoft.
Companies like Microsoft and Adobe use digital signatures to stamp software as authentic. This helps to prevent malware infections that might try to disguise themselves as legitimate. The NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer.Companies like Microsoft and Adobe use digital signatures to stamp software as authentic. This helps to prevent malware infections that might try to disguise themselves as legitimate. The NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer.
“Code-signing is one of the most effective tools we have to keep malicious software off of computers,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University.“Code-signing is one of the most effective tools we have to keep malicious software off of computers,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University.
If the flaw is patched quickly, it’s not that dangerous, he added. “If a lot of people don’t patch, it could be a disaster.”If the flaw is patched quickly, it’s not that dangerous, he added. “If a lot of people don’t patch, it could be a disaster.”
Microsoft has reported that it has seen no active exploitation of the flaw.Microsoft has reported that it has seen no active exploitation of the flaw.
Microsoft’s plan to issue a fix for the vulnerability was first reported Monday in the KrebsOnSecurity blog. The bug disclosure is the first major announcement to come from the new directorate, which reflects NSA Director Gen. Paul Nakasone’s desire to enhance the defensive mission of an agency known for its prowess at hacking foreign networks for intelligence.