The Fort Meade, Maryland-based National Security Agency’s cybersecurity work typically operates out of view. After all, it famously earned the nickname “No Such Agency.”
But this week, the NSA went public with a security flaw it found. The “serious vulnerability” was flagged in Microsoft products including Windows 10 and Server 16. The bug traces to a weakness in a cryptography function that verifies whether a system is downloading software that is legitimately from Microsoft.
“You can use that weakness to make Windows  systems download and install software that appears to be coming from Microsoft that is not,” said Edward Stanford, CTO of Columbia-based Zuul, which works with customers on certificate management and cryptography management for industrial controls and Internet of Things systems.
This could lead attackers to develop new exploits that take control of systems. The NSA alerted Microsoft to the vulnerability, and the company released a patch to fix systems. NSA then went public with a key message: Update systems with a patch.
“This is bad,” Stanford said. “If you do it right then you can take over most networks or computers that are Windows-based. The faster they get patched, the less true that statement will be.”
This could affect a broad group of systems, from personal laptops to corporate servers. But installing a patch on a home laptop is a fix on a different scale from making sure an entire company’s network is protected.
NSA went public with a key message: Update systems with a patch.
“Now that it’s a widely known exploit, everyone’s got to defend against it. Most home systems have an easy button, most corporate systems don’t,” Stanford said. However, he said of the company systems, “that doesn’t mean it can’t be done.”
Plenty of companies have been taking action, as well, including Columbia-based cybersecurity company Tenable, which works with released plugins to identify the vulnerability.
“This vulnerability, and the attention it’s received from various government agencies, is unprecedented. It calls into question our very trust in today’s digital world — the trust that our encoded communications are secure,” said Renaud Deraison, cofounder and CTO of Tenable, in a statement. “We implore organizations to patch their systems immediately.”
For NSA, the public announcement isn’t unprecedented, but it’s also not a move that’s made often. For one, that indicates the severity of the threat posed by the vulnerability. At the same time, Wired noted that it’s distinct from how the NSA approached a hacking tool known as EternalBlue, which also centered on a Microsoft vulnerability. In that case, NSA did not disclose the flaw publicly. This squares with actions of an intelligence agency looking to gain an edge on the cyber battlefield. But it was later leaked online, and used in attacks. Going forward, NSA Cybersecurity Directorate head Anne Neuberger told reporters this week that the agency will disclose more findings to the public.
Stanford said this week’s public disclosure shows a willingness by NSA to embrace another part of its mission: protecting the country’s infrastructure.
“I’m really glad they stepped up, saw a problem and helped everyone fix it,” he said.-30-