The National Security Agency discovered a major flaw in Microsoft Windows that would have allowed hackers to compromise the newest versions of Windows 10, an operating system used by nearly one billion devices.
The cryptographic flaw could allow an attacker to disguise malware as legitimate software. “The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said. Exploiting the vulnerability could also allow a hacker to intercept and modify encrypted internet communications, according to a Carnegie Mellon University report.
In a rare agency press release, the NSA urged Windows users to update and said the "critical" vulnerability would be quickly understood by government-sponsored hackers.
The agency handed the flaw over to Microsoft, which published a fix on January 14. Not so long go, the NSA would have simply used the exploit for its own offensive goals, but the country’s intelligence agencies have changed their strategy in the last decade. The decision to fix the flaw rather than use it as a weapon represents a victory for the NSA’s Cybersecurity Directorate, the recently launched department charged with the agency’s cyberdefense mission.
“When the new cybersecurity directorate was first stood up, we noted we wanted to do things differently,” said Anne Neuberger, the director of the department. “We want a new approach to sharing, to build trust with the cybersecurity community. This is one key aspect of that.”
With this flaw, Neuberger is making her mark in a public way on the notoriously secretive agency.
In 2008, the US began developing a plan called the “Vulnerabilities Equities Process” to deal with major technology flaws and cyber capabilities. The goal was to improve defense of information systems in the United States—no country relies more on a safe and secure internet. The NSA is the executive agency behind the plan, which also includes the FBI, the CIA, the Departments of Energy, State, Commerce, and more. The goal is a complete process to weigh the nation’s offensive and defensive needs as new flaws are discovered.
“This is the essential tension of the digital age,” said Jason Healey, a former White House cybersecurity official. “How much do we use this [offensively], and how much do we want to be secure when we’re online?"
This exploit was taken to the Vulnerabilities Equities Process and then disclosed to Microsoft, Neuberger said.
The NSA said it has not seen any exploits of the Windows flaw. Microsoft, which has extraordinary visibility into which exploits are used around the world, also says it has not seen the flaw exploited.
Although the NSA has reported vulnerabilities to software companies for years, this is the first time it has taken public credit.
“A part of building trust is showing the data,” Neuberger said. “We’ve submitted vulnerabilities for a long time, but we’ve never permitted attribution, and as a result it’s hard for entities to trust us. The second part of the decision is that we want to lean forward to advise critical infrastructure networks, to raise awareness. In order to do so, we knew we had to be very transparent about it.”
The NSA has always had a defensive cyber mission alongside its much more high-profile offensive mission. In 2017, the agency reported a hacking tool called EternalBlue to Microsoft, which proceeded to issue a fix. That report came after an opaque hacking group called Shadow Brokers, suspected to be Russian intelligence operatives, stole the tools. After the fix was issued, Shadow Brokers published them online.
Microsoft has now released an official patch for the current flaw, but it may still take a long time for updates to take effect. EternalBlue was used in some of the biggest hacking incidents ever, including the WannaCry ransomware campaign, months after fixes were published.
That same risk applies to today’s critical flaw. There is always a delay between when a fix is published and when protection is actually applied to machines around the world. That’s a window of time hackers aim to exploit. Experts recommend updating your machine regularly.
This article has been updated with more specific information on the vulnerability.