NSA found a dangerous Microsoft software flaw and alerted the firm — rather than weaponize it

By ELLEN NAKASHIMA | The Washington Post | Published: January 14, 2020

WASHINGTON — The National Security Agency recently discovered a major flaw in Microsoft's Windows operating system — one that could potentially expose computer users to significant breaches or surveillance, and alerted the firm to the problem rather than turn it into a hacking weapon, according to people familiar with the matter.

The disclosure represents a major shift in the NSA's approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries' networks, according to the people familiar with the matter who spoke on condition of anonymity because of the sensitivity of the matter. .

Microsoft planned to issue a patch for the flaw Tuesday, the individuals said.

"Big kudos to NSA for voluntarily disclosing to Microsoft," said computer security expert Dmitri Alperovitch in a tweet Tuesday morning. "This is the type of [vulnerability] I am sure the [NSA hackers] would have loved to use for years to come."

The vulnerability — essentially a mistake in the computer code — affects the Windows 10 operating system, which is the most widely used today, according to the people who were briefed on the matter.

The discovery has been likened to a slightly less severe version of the Microsoft flaw that the NSA once weaponized by creating a hacking tool dubbed EternalBlue, which one former agency hacker said was like "fishing with dynamite."

Microsoft declined to comment.

The NSA used EternalBlue for more than five years, but when it learned that the tool had been obtained by others, it alerted Microsoft, which issued a patch in early 2017. About a month later, Shadow Brokers, a suspected Russian hacking group, released the NSA tool online.

Malicious hackers turned it to their own purposes, launching massive ransomware campaigns such as the one dubbed WannaCry, which created global havoc and costly damage to businesses and other organizations.

EternalBlue worked on all Windows systems, not just one, which made it so potent. The flaw the NSA just uncovered would be useful to hackers seeking to break into some computers running Windows 10, which is used in a majority of companies and organizations.

Anne Neuberger, the director of the NSA's Cybersecurity Directorate, which was launched last October, is expected to announce Tuesday the agency's discovery of the flaw and its warning to Microsoft.

Companies like Microsoft and Adobe use digital signatures to stamp software as authentic. This helps to prevent malware infections that might try to disguise themselves as legitimate. The NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer.

"Code-signing is one of the most effective tools we have to keep malicious software off of computers," said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University.

If the flaw is patched quickly, it's not that dangerous, he added. "If a lot of people don't patch, it could be a disaster."

In a call with experts on Tuesday morning, NSA said that Microsoft will report that it has seen no active exploitation of the flaw, one of the people on the briefing said.