Microsoft has released an update for Windows 10 and a few other versions of its popular operating system to remove a security flaw that could be exploited to install malicious code (malware) on computers, without the knowledge of their owners. Security updates are frequent, but the difference from the past is that in this case the problem was publicly reported by the National Security Agency (NSA), the US intelligence agency known for its telecommunications surveillance activities. Historically, the NSA has often preferred to keep information on security flaws in operating systems for itself, with the aim of exploiting it as part of IT activity control programs, even on a global scale.
The security flaw affects Windows 10, Microsoft's latest operating system, Windows Server 2016, and Windows Server 2019. The problem is in the certificate system that Microsoft uses to make sure that installed programs and updates are genuine, in order to reduce the risk of installing viruses or portions of code that could damage the computer, opening secondary access routes to the data they contain, without the knowledge of their owners. By exploiting the flaw, an attacker could have added a bogus digital signature, thus being able to pass off a malware and exploit it to gain control of the computer.
Microsoft said it had not received any news about the exploitation of this security flaw, which was not known until a few days ago. Windows 10 defaults to the automatic installation of security updates of this type, so within a few days most computers using it should no longer be at risk. Usually when an update is announced for a security flaw there is a rush to understand the mechanism, so that you can exploit it before the solution is installed on the computers.
The NSA constantly works to look for problems and programming errors in the most popular operating systems, precisely to be able to exploit them to its advantage as part of its surveillance plans. After the dissemination of a large amount of confidential information about its activities, especially by Edward Snowden, and the numerous journalistic inquiries that followed, the NSA received much criticism for choosing not to disclose – not even to the producers of the software concerned – the security holes he had identified. A policy that at least in one case had led to alarming results, according to cyber security experts.
In early 2017, NSA officials told Microsoft that they had long ago discovered a Windows vulnerability, but had suffered a leak that made it known to the Shadow Brokers hacking group. Among the lost data, perhaps disseminated by some NSA agents, was a computer code which later became known as “Eternal Blue”. Microsoft quickly released a security update, but several computers were still unprotected.
Later, a group of North Korean hackers worked on the code by making “WannaCry”, a malware that was then exploited to block the entire computer system of the UK health service, which was based on an old version of Windows. The security flaw was also exploited by a group of Russian hackers to conduct other attacks, among the largest and most serious in the history of information technology, blocking the computer systems of some large companies including Maersk, the huge multinational responsible for much of the maritime transport of goods.
When his involvement became known, the NSA denied any responsibility, claiming that the malware was made by North Korea and Russia. However, many security experts, and some agents of the NSA itself anonymously, pointed out that the practice of hiding the flaws discovered in their programs from software producers, in the hope of exploiting them for espionage, was clearly behind the damage caused by Eternal Blue, costing several million dollars to the same US companies.
The final decision on whether to keep a cybersecurity flaw secret or reveal it to manufacturers like Microsoft is often made by the White House. During the Barack Obama administration, for example, a procedure was formalized to do so. Donald Trump's government has confirmed that something similar still exists today, but the government has long since provided up-to-date data on how many security holes are made public and how many are kept secret, with the aim of exploiting them otherwise.
In the past, the NSA had already provided information to Microsoft on problems related to Windows, but had always avoided any public involvement, avoiding denying or confirming its reports. It is therefore the first time that the NSA has taken a more open path, as the agency's head of cyber security, Anne Neuberger explained: “We wanted to take a new approach in sharing and working to build trust in the cybersecurity community. Ensuring that vulnerabilities can be mitigated is a top priority “.
For now it is not clear whether public reporting is the beginning of a new method of collaboration and communication of the NSA or just an isolated case. The agency brings together some of the most experienced and capable IT engineers in the world, specializing in researching programming errors and flaws in the most popular operating systems and programs. If public disclosure of their findings became the norm, many of the security problems that inevitably affect information and communications systems could be resolved in time. However, several observers are skeptical of this circumstance, given the recent past cases related to the NSA's activities kept in great secrecy.
