from the what-do-you-give-to-a-company-that-has-everything-but-knowledge-of-this-exploit dept
Given the NSA's track record with vulnerability disclosures, it's somewhat of an anomaly when it actually decides the security of millions of innocent computer users is more important than its exploitation of a security flaw. Ellen Nakishima has the details for the Washington Post:
The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches or surveillance — and alerted the firm of the problem rather than turn it into a hacking weapon, according to people familiar with the matter.
The flaw affects Windows 10 users, the largest user base Microsoft currently has. The vulnerability could have been weaponized by the NSA, as so many others have been. The agency has consistently withheld knowledge of vulnerabilities from affected companies until the exploits have outlived their uselessness.
The equity program, meant to ensure companies are notified of serious software flaws, has routinely been ignored by the NSA, leading directly to the EternalBlue cataclysm that saw malicious hackers repurpose the exploit and unleash ransomware attacks on multiple targets around the world.
Microsoft was not happy. It released a long statement decrying the Intelligence Community's refusal to completely participate in the Vulnerability Equities Process. As ransomware attacks brought multiple critical facilities to their knees, the NSA was justifying its "better way too late than never" approach with s ..
Support the originator by clicking the read the rest link below.
