The National Security Agency said it alerted Microsoft of a critical vulnerability in its operating system to allow the company to solve the problem, in an apparent departure from its traditional approach to weapon failures as its own piracy tools.
Microsoft issued a patch, or update, to its systems on Tuesday in response, and said in a blog post that the flaw could have exposed users of its Windows 10 system to third-party violations or surveillance.
“Our goal is to quickly alert that this is an important [patch]”Anne Neuberger, director of cybersecurity for the NSA, told reporters on Tuesday.” The percentage of companies that patch is still much lower than necessary. “
The US intelligence agency, which was at the center of the leaks of the American contractor Edward Snowden about his vast espionage capabilities, seeks to improve his reputation and develop closer relationships with the private sector.
The decision to share his findings with Microsoft contrasts with his typical approach of maintaining vulnerabilities for himself in the hope of handling them for his own spying purposes.
The NSA has faced harsh criticism for dealing with several errors in order to develop its own piracy tools, tools that subsequently fell into the hands of cybercriminals and others that exploited them.
For example, the NSA developed one of those tools, called “EternalBlue,” to secretly exploit a Windows flaw that it had discovered and did not reveal to Microsoft. This vulnerability was leaked online by a mysterious entity called Shadow Brokers, and then exerted by cyber criminals as part of the WannaCry ransomware campaign that hit British hospitals, businesses and government agencies in 2017.
“We wanted to adopt a new approach to sharing and also really work to build trust with the cybersecurity community. . . Part of building trust is showing the data, ”said Neuberger. She said it was the first time the agency took credit for such an action, but that she had regularly alerted private sector companies to such gaps in the past so they could solve them.
He said the US government, including the defense department, could not secure its own networks without the help of the private sector, which owns and operates 90 percent of them. “Ensuring that vulnerabilities can be mitigated is an absolute priority.”
However, some in the industry were skeptical of the apparent change in direction of the NSA. Chris Morales, head of security analysis at the Vectra cybersecurity group, said that while the measure could have been caused by a genuine concern that others could exploit the vulnerability, “it could be that the NSA already has enough other methods to compromise a Windows system and you don’t need it. ”
Rick Holland, director of information security at Digital Shadows, based in San Francisco, which provides digital risk protection software, said: “However, make no mistake; the NSA will continue to accumulate zero days and take advantage of them as necessary to achieve its objectives. “
Ms. Neuberger said that, in addition to helping the private sector correct vulnerabilities, the agency was still dedicated to its espionage mission, which focuses on supporting US combat operations. UU., Build secure communications and defend against cyber attack.
“We have always pursued both missions to keep the country and our allies safe,” he said.