NSA Surprises Microsoft With A Vulnerability Disclosure Just In Time For Patch Tuesday
from the what-do-you-give-to-a-company-that-has-everything-but-knowledge-of-this-exploit dept
Given the NSA’s track record with vulnerability disclosures, it’s somewhat of an anomaly when it actually decides the security of millions of innocent computer users is more important than its exploitation of a security flaw. Ellen Nakishima has the details for the Washington Post:
The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches or surveillance — and alerted the firm of the problem rather than turn it into a hacking weapon, according to people familiar with the matter.
The flaw affects Windows 10 users, the largest user base Microsoft currently has. The vulnerability could have been weaponized by the NSA, as so many others have been. The agency has consistently withheld knowledge of vulnerabilities from affected companies until the exploits have outlived their uselessness.
The equity program, meant to ensure companies are notified of serious software flaws, has routinely been ignored by the NSA, leading directly to the EternalBlue cataclysm that saw malicious hackers repurpose the exploit and unleash ransomware attacks on multiple targets around the world.
Microsoft was not happy. It released a long statement decrying the Intelligence Community’s refusal to completely participate in the Vulnerability Equities Process. As ransomware attacks brought multiple critical facilities to their knees, the NSA was justifying its “better way too late than never” approach with statements about the difficulty of developing useful surveillance tools.
It may have been Microsoft’s response to the WannaCry attacks that prompted the NSA’s proactive disclosure of this vulnerability. This security flaw is strikingly similar to the one exploited for years by the NSA — the one that became ransomware once the Shadow Brokers made the vulnerability available to whoever wanted it.
The discovery has been likened to a slightly less severe version of the Microsoft flaw that the NSA once weaponized by creating a hacking tool dubbed EternalBlue, which one former agency hacker said was like “fishing with dynamite.”
Like EternalBlue, the vulnerability disclosed here is “God mode” for malicious hackers and surveillance agencies.
Companies like Microsoft and Adobe use digital signatures to stamp software as authentic. This helps to prevent malware infections that might try to disguise themselves as legitimate. The NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer.
Microsoft’s patch will have been issued by the time you read this. The good news beyond the NSA’s surprise disclosure is that Microsoft has not seen the flaw exploited. Yet. A patch is only as good as the end users’ application of it. That’s somewhat beyond Microsoft’s control but Windows 10 is pretty aggressive about pushing updates, so it shouldn’t take too long to close this hole.
This likely doesn’t signal a large-scale change in the way the IC handles vulnerability disclosure. Exploits and vulnerabilities will continue to be hoarded, even if the potential collateral damage is billions of dollars. After all, billions will be lost by targets of attacks predicated on hoarded vulnerabilities. The NSA won’t lose anything, not even a little sleep.
Filed Under: nsa, patch tuesdsay, veb, vulnerabilities, vulnerabilities equities program, windows 10
Companies: microsoft
Comments on “NSA Surprises Microsoft With A Vulnerability Disclosure Just In Time For Patch Tuesday”
Love that I use Linux. While that is no guarantee that that tomorrow a zero day will be discovered for it, it seems with far less users of the OS, there is less malware developed for it. It is by default far more secure.
Re: Re:
Dude. Do you even read Techdirt?
You know all that stuff about IoT devices with lousy security, getting compromised en masse to form botnets of unprecedented scale? Linux, all of it.
For years, the Linux community has been laughing at Windows for needing malware protection, smugly asserting the superiority of their system’s security. The retort from the Windows side of things has always been, "it’s only because you’re not big enough of a target; if that ever changes, you’ll get malware just as bad as us."
Turns out that wasn’t true; once the IoT changed the target profile, Linux got security problems orders of magnitude worse than Windows has ever had. Why? Probably because while they’ve spent the last 30 years laughing at the people who have had a big enough market share to have to take security seriously, while the people they were laughing at have had to take it seriously and have learned and improved their product. Linux is now stuck in the kind of security mess Windows evolved past decades ago.
Whose turn it it to be smug now?
Re: Re: Re:
unfortunately you seem to be very confused. Linux is only one single piece of an OS (very much unlike windows which is an entire OS). The ‘Linux’ on many IOT device is rarely like the Linux distro installed on peoples desktop/laptops/cellphones/etc.
Trying to compare the security of Linux vs windows is meaningless. It’s like trying to compare silmarillions with space-lizards.
You could come pare say Ubuntu 14.04 with windows 10. That would make some amount of sense. But you did not.
Incidentally, I hear that Microsoft has announce the next version of WSL will contain an actual Linux kernel (aka actual Linux).
Re: Re: Re:
Almost all malware on IOT devices get there because the users do not change default logins and passwords, or choose well known passwords. That is not so much an operating system vulnerability, but rather a people vulnerability.
Re: Re: Re:
That’s just not true (or not sufficiently demonstrated). Both systems have had lots of security vulnerabilities, and both have fairly similar security models. The bad reputation of Windows started around Windows 95 and 98, when the OS literally had no security. MS are doing much better now, with neither system being horribly worse than the other. (MS developers are likely better than Linux developers at this, but the complexity of their backward-compatibility guarantees makes their task harder. If you ignore Win32, GDI, etc., the NT kernel itself has a very good record.)
Don’t count Android problems against "Linux" unless they’re bugs that affected mainline kernels. Unfortunately, Linux has been stagnating with its security model—unlike Android, it doesn’t have per-application permissions—so we can also have Linux problems that don’t affect Android.
Re: Re: Re: Re:
It has AppArmour and SeLinux, plus the latest development, containers which can be used to isolate applications.
Re: Re: Re:2 Re:
True, it was an overly harsh criticism. But those are designed to be configured by an administrator or packager. The non-technical user, in practice, gets little control by those methods, and has to hope somebody else got it right. And they’re not something users or app-writers can use dynamically; I cannot, for example, easily use those methods to spawn an arbitrary program in a sandbox. (There’s stuff like bwrap and firejail, but they usually need to be setuid-root to work and are otherwise implemented in overly complex ways.)
The BSDs, by contrast, have unveil and Capsicum. Plan 9 had unprivilged filesystem namespaces without the security problems this would cause on Linux. Android (and especially its mods) let the user easily decide what permissions each app should get.
Re: Re: Re:3 Re:
That applies to all non technical users regardless of how simple or complex security is to set up. Also, most users would reduce security when the stronger controls become inconvenient.
Re: Re: Re:4 Re:
"Do you want this app to have access to your camera" doesn’t require much technical skill. It’s a much better situation than "your user ID is 1000, and uid 1000 is in the video group, so everything you run has access" (unless you take near-heroic steps to prevent it).
Re: Re: Re:5 Re:
Very few Linux applications want access to the camera, and Firefox control camera and microphone access. This may be because Linux applications are not relying on or associated with entities making money from advertising. Android and Iphone on the other hand….
Also, it is largely laptops, or all in one systems, that have inbuilt cameras and microphones, and the camera at least is easy to cover. Phones and tablets on the other hand have at least one of each.
Re: Re: Re:6 Re:
Addendum:
Almost all applications on Linux are compiled and tested independently by the builders of several hundred distros. This strongly discourages applications from doing naughty, or questionable things. Having the source code available to anyone makes doing something that you shouldn’t a risky undertaking.
Re: Re: Re:
"You know all that stuff about IoT devices with lousy security, getting compromised en masse to form botnets of unprecedented scale? Linux, all of it."
Well, sure…if you gut all the parts which render it secure from the usual default selection of modules added to the kernel – as is usually done with IoT devices – then what you’ve got is a reliably open door.
That still doesn’t change the fact that a fully functional Linux OS built to accommodate a laptop, desktop, or computing device (smartphone/tablet) then the game changes.
"Linux got security problems orders of magnitude worse than Windows has ever had."
Nope, and nope again. Again, the IoT vulnerability issue is the same you’ll find in any gadget which was often designed, by default, as an open door. Linux by design can be described as a vault. If you remove the door that vault is now by default insecure. It’s that simple.
"Whose turn it it to be smug now?"
Still Linux fans, i fear. Windows 10 may be more secure than windows 7 which was more secure than XP which was more secure than Vista…and that’s where we stop since mentioning the two previous versions by name in the same sentence as the word "security" is unholy to the point of summoning eldritch demons.
…But windows is still, by design, still less secure than any full desktop Linux distro.
Re: Re:
Linux is not just a desktop operating system. It also runs millions (billions?) of Android phones. When’s the last time you’ve seen an update available for your (or someone you know) Android phone? Hardly ever and possibly actually never, which makes "Linux" many magnitudes less secure than Windows has ever been since there are known security problems and no fix will ever be available for you to install. You literally have to throw the device away and buy a new one!
Re: Re: Re:
The same can be said about windows, when you consider XP, Vista, & etc. Sooner or later devices become incapable of being upgraded due to requirements moving on with improving hardware capacities. Just because Linux does not make a big thing about new versions of anything does not mean it is not involving, indeed if anything it is moving faster than windows, although some distros will support a version for several years with only security updates, while other stay with the leading edge of software..
Re: Re: Re:
Android phones update constantly, what are you on about exactly?
Re: Re: Re:
"When’s the last time you’ve seen an update available for your (or someone you know) Android phone?"
Once a month or more, if you run Android One.
Less so if you run an UI designed by a lazy-ass OEM who insists on running their own software on the phone.
"Hardly ever and possibly actually never, which makes "Linux" many magnitudes less secure than Windows has ever been since there are known security problems and no fix will ever be available for you to install."
Again, you are talking out of your ass. If you want security then run an android One phone and start getting tired of the monthly updates. The issue is with every OEM which fails to update its own version of the OS – so if you went with Samsung or HTC you might be screwed but with the Moto android One or the Xiaomi Mi A3 you aren’t.
"You literally have to throw the device away and buy a new one!"
Rather than root, install cyanogen, and keep it for five more years, you mean?
Are you being paid for ragging on linux or are you truly dumb enough to continually spew outright falsehoods without even fact-checking what you must have read from some ten-year-old Microsoft propaganda sheet?
Re: Re: Re: Re:
He has maybe an eighth of a point. Some Linux distros suck security wise. However basically all of his complaints about Linux…. don’t actually apply to Linux. Maybe tomorrow he will blame you for life on Earth being carbon based (perhaps while extolling the virtual of silicon without having a clue about the differences).
Re: Re: Re:2 Re:
"However basically all of his complaints about Linux…. don’t actually apply to Linux."
Yeah, i think half of his beef with "linux" seems to actually be aimed at Java, which is a different kettle of fish altogether.
"Maybe tomorrow he will blame you for life on Earth being carbon based (perhaps while extolling the virtual of silicon without having a clue about the differences)."
I wouldn’t be surprised, given both his wordwalls of broken logic relying on manifestly false assumption.
He should apply for a job at the white house. Trump always needs new press secretaries.
Re: Re:
"It is by default far more secure."
Ironically much thanks to the NSA who actually authored the Secure-enhanced (SE) version of linux. Plenty of their improvements have made it to the mainstream versions currently in use today.
I heard that Windows 7 and 8 have the same flaw but no one was sure if Windows 7 would get an update since it has been EOL’ed.
Re: Re:
It’s definitely circumstantial, but a win7 VM that I use on a regular basis got an updated version of c:windowssystem32crypt32.dll this morning after I ran windows update on the system.
The timestamps on the file show a modification date of 12/10/2019 12:32AM, and a local file creation date of 1/14/2020 11:32AM.
I’m pretty sure that file hadn’t been touched since I did a new install on the VM back in the June time frame, and outside of this vulnerability there aren’t a lot of reasons that MS would have re-built it and distributed it if it hadn’t been subject to the same vulnerability.
Re: Re: Re:
Lucky you. Today, January 14 2020, is literally the day that MS is ending extended support. Or so they claim.
Re: Re: Re: Re:
They will still offer paid support for enterprise customers.
Re: Re: Re: Re:
People always misunderstand what that "end of support" means. It only means they’re not going to provide tech support to businesses who run Windows 7, and they’re not going to work on new features, new hardware compatibility, or other quality-of-life improvements.
But even Windows XP still receives the occasional security bugfix. Windows 7 is not becoming abandonware.
Re: Re: Re:2 Re:
Here’s what MS say: "As of January 14, 2020, your computer running Windows 7 will still function but Microsoft will no longer provide the following: … Software updates; Security updates or fixes […]. While you could continue to use your PC running Windows 7, without continued software and security updates, it will be at greater risk for viruses and malware." But the business link says "For users of Windows 7 Professional and Windows 7 Enterprise, you can purchase extended security updates through January 2023."
They’re really hiding that 2023 thing. Wikipedia says mainstream support ended 5 years ago, and who would have "extended support" other than businesses (who are good till 2023)?
What if NSA wasn't first?
Can’t help wondering if other countries or hacker groups are already using exploits on this?
Re: What if NSA wasn't first?
Find malware already being used against your spies? Report the flaw and presto, all better!
Re: What if NSA wasn't first?
"Can’t help wondering if other countries or hacker groups are already using exploits on this?"
That would certainly be a very hard motivator for the NSA to instantly reveal the exploit and encourage a quick fix.
Intelligence wants Microsoft Jeffery, stop wasting your precious money.
What a load of crap. This vulnerability isn’t in the same galaxy of severity as the pre-auth insta-Administrator on a default-installed network exposed service that EternalBlue granted.
Re: Re:
Correct me if I’m wrong, but isn’t this issue just "people can make fake software certificates that look valid"?
Half of the software I use doesn’t have a valid certificate in the first place because it’s either ancient, or it’s from indie devs who can’t afford to register their programs, so I have to click through that "yes, trust this software from Little Game Company even though it doesn’t have a valid certificate". So I never use the certificate as a metric of trustworthiness. If I have any doubts, I compare checksums and use virus scanners like MalwareBytes.
Re: Re: Re:
Not just fake code signing (which isn’t just an issue for userland software, but drivers too), but fake certificates generally, which is an issue because it means that Mallory can now go to town with this all over CryptoAPI’s TLS implementation. (Imagine what a treasure trove being able to MITM Windows Update would be!)
Re: Re: Re: Re:
But this patch is for the ECC types not the RSA based ones. So it also depends on which type of signature generation method you use.
Given how the NSA likes to leave their toys laying around for anyone to find & abuse… perhaps someone with a functioning brain decided its better to patch the systems than hand every skiddy a well developed 1 button gui to hack the planet.
No such thing as a good deed.
Well I’m thoroughly skeptical of the NSA’s motives in making this disclosure. Microsoft’s previous complaints most likely have little to do with it. The cynical side of me screams at me that they either know the vulnerability was discovered by an adversary or they had another security breach and the knowledge got out of their exclusive control, prompting the disclosure in hopes Microsoft fixes the mess for them before it becomes exploited and they face another PR nightmare.
All that tells me is that the NSA has a Win10 exploit that is so powerful and all-encompassing that they don’t need any others.
Linux
Linux is not just a desktop operating system. It also runs millions of Android phones. When’s the last time you’ve seen an update available for your Android phone? Ever and possibly, which makes "Linux" many magnitudes less secure than Windows 10 help has ever been since there are known security problems and no fix will ever be available for you to install. You literally have to throw the device away and buy a new one!