The Washington PostDemocracy Dies in Darkness

NSA found a dangerous Microsoft software flaw and alerted the firm — rather than weaponizing it

A sign outside the National Security Agency campus in Fort Meade, Md., on June 6, 2013. (Patrick Semansky/AP)

The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could expose computer users to significant breaches, surveillance or disruption — and alerted the firm about the problem rather than turning it into a hacking weapon, officials announced Tuesday.

The public disclosure represents a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks.

“This is . . . a change in approach . . . by NSA of working to share, working to lean forward and then working to really share the data as part of building trust,” said Anne Neuberger, director of the NSA’s Cybersecurity Directorate, which was launched in October. “As soon as we learned about [the flaw], we turned it over to Microsoft.”

Cybersecurity professionals hailed the move.

“Big kudos to NSA for voluntarily disclosing to Microsoft,” computer security expert Dmitri Alperovitch said in a tweet Tuesday. “This is the type of [vulnerability] I am sure the [NSA hackers] would have loved to use for years to come.”

NSA officials worried about the day its potent hacking tool would get loose. Then it did.

The bug — essentially a mistake in the computer code — affects the Windows 10 operating system, the most widely used in government and business today.

Microsoft issued a patch for the flaw Tuesday. The company’s plan to issue a fix for the vulnerability was first reported Monday in the KrebsOnSecurity blog.

“A security update was released on January 14, 2020 and customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible,” Jeff Jones, senior director at Microsoft, said in a statement.

The NSA’s action may help restore the agency’s image, which was tarnished after it lost control of a powerful hacking tool it called EternalBlue. One former agency hacker said using EternalBlue was like “fishing with dynamite” because the intelligence yields were so bountiful.

The NSA built that weapon by exploiting a software flaw in some Microsoft Windows operating systems, and used it for at least five years without telling the company. But when the agency learned that the tool had been obtained by others, it alerted Microsoft, which issued a patch in early 2017. About a month later, Shadow Brokers, a suspected Russian hacking group, released the NSA tool online.

Despite the patch, Russian and North Korean hackers were able to turn the tool to their own purposes, launching destructive attacks such as NotPetya and WannaCry that created global havoc and costly damage to businesses and other organizations.

The NSA, which was still recovering from surveillance disclosures by a former agency contractor, suffered a further hit to its reputation. To this day, companies are grappling with ransomware and intrusions enabled by EternalBlue, though some ransomware attacks have been erroneously linked to the tool.

“Right now [Neuberger’s] trying to rebuild the reputation of NSA’s role in the defense of the nation,” said Richard “Dickie” George, who until 2011 was the agency’s technical director for information assurance. “You’re trying to build public confidence in the NSA.”

EternalBlue worked on all Windows systems, not just one, which made it so potent. The flaw the NSA recently uncovered would be useful to hackers seeking to break into some computers running Windows 10.

When a Windows user logs onto a website, the user’s browser checks the authenticity of the site through software provided by Microsoft. The NSA discovered an error in the software code that fails to properly check the authenticity.

A sophisticated hacker seeking to exploit the flaw could build a weapon that reroutes users to malicious sites, steals files, activates microphones, records keystrokes and passwords, wipes disks, installs ransomware, “you name it,” said Jake Williams, a former NSA hacker who co-founded Rendition Infosec, a cybersecurity firm.

Microsoft and the NSA reported that they have seen no active exploitation of the flaw.

“If the flaw is patched quickly, it’s not that dangerous,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University. “If a lot of people don’t patch, it could be a disaster.”

The bug disclosure is the first major announcement to come from the new directorate, which reflects NSA Director Paul Nakasone’s desire to enhance the defensive mission of an agency known for its prowess at hacking foreign networks for intelligence.

George, who for years ran an internal NSA process to weigh whether to disclose software vulnerabilities to industry, said the agency informed vendors of flaws in the vast majority of cases. Many were not significant enough to be considered for use by the agency’s hackers. He said that “we had given 1,500 [bugs] to Microsoft in two years” in the early 2000s.

In the past, when the NSA disclosed flaws to companies, “no one knew we did it.” That was partly because the companies did not want to advertise that they were working with the spy agency, he said.

Secrecy has other merits, George said. Announcing that a vulnerability is being patched gives malicious hackers a chance to find a way to exploit it, he said.

But Neuberger said the agency wants to ensure that the wider public heeds the warning. “Cybersecurity network owners have far more alerts and other things on any given day than they can possibly address,” she said. “We routinely hear that what they most value is our flagging the things that are most important. So our notification to them . . . is . . . carefully timed to achieve that objective.”