NSA identifies "critical vulnerability" in Microsoft Windows 10
Washington — The National Security Agency disclosed Tuesday that it has identified a "critical vulnerability" in Microsoft's Windows 10 operating system — but that it reported the flaw to the company and its partners rather than exploiting it for surveillance or hacking purposes.
Anne Neuberger, the head of the NSA's newly restructured cybersecurity directorate, told reporters the agency was recommending that all network owners "expedite" implementation of a patch. She said neither the agency nor Microsoft has, to date, seen exploitation of the flaw, which affected millions of computers.
Microsoft released its patch on Tuesday. In a statement, senior director Jeff Jones said, "We follow the principles of coordinated vulnerability disclosure (CVD) as the industry best practice to protect our customers from reported security vulnerabilities."
The NSA issued a cybersecurity advisory on Tuesday, calling the flaw "severe" and said that "sophisticated cyber actors will understand the underlying flaw very quickly."
"The consequences of not patching the vulnerability are severe and widespread," the advisory said.
Microsoft's update warned that successful exploitation of the flaw could allow cybercriminals to effectively eavesdrop on private communications between two users, in what are known as "man-in-the-middle" attacks.
Computers with automatic updates enabled will automatically receive the patch.
Neuberger also said Microsoft will, in unprecedented fashion, give attribution to the NSA as the company posts the patch. This, she said, was an effort by the agency to "build trust" with its partners and the public.
She noted that select government agencies were provided a classified update on the flaw "prior to today," without specifying when that notification occurred.
"We wanted to lean forward and raise awareness," Neuberger said. "The percentage of enterprises that patch is still far lower than it needs to be."
The move is a departure from precedent. The NSA has in the past accumulated cyber tools it could use to spy on adversaries. It previously weaponized a different Microsoft vulnerability to create a tool known as EternalBlue, which has since been used by suspected Russian and Chinese hackers.
Part of the NSA's efforts to improve its partnerships with the government, the private sector and the public, Neuberger said, would involve "turning a leaf" and sharing, rather than storing, information about vulnerabilities.
General Paul Nakasone, who heads both the NSA and U.S. Cyber Command, has charged the cybersecurity directorate with more quickly disseminating unclassified products that are designed to help other government agencies, the military, and private companies protect themselves from cyber threats.
Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA) Bryan Ware, who also spoke on the call, said that agency will be "stressing the urgency" of this patch to national, international, state, local and tribal partners and directing federal agencies to implement it within 10 days.