released a patch to correct a software vulnerability in its Windows operating system that could allow hackers to violate or monitor specific computer networks, after the National Security Agency detected the fault.
U.S. government officials UU. They described the vulnerability in Windows 10, Microsoft's most popular operating system, as especially serious and that Microsoft customers should fix immediately by updating their systems. Both Microsoft and the NSA said they had not found evidence that the fault had been exploited for malicious purposes.
"We recommend that network owners accelerate the patch immediately," Anne Neuberger, head of the newly established NSA cybersecurity address, told reporters on Tuesday. The agency alerted Microsoft as soon as it discovered the error, he said.
In a sign of how severe officials considered the fault, the Department of Homeland Security issued an emergency directive on Tuesday that instructs federal agencies to take a series of steps to apply patches to their systems immediately. DHS also said it would keep calls with private industry partners to warn of the risks posed by the failure, said Bryan Ware, a senior official with the DHS Infrastructure and Cyber Security Agency.
"A security update was released on January 14, 2020, and customers who have already applied the update, or have automatic updates enabled, are already protected," said Jeff Jones, senior director of Microsoft, in a statement. "As always, we encourage customers to install all security updates as soon as possible."
The flaw in question involves an error in how Microsoft uses digital signatures to verify that the software is authentic, which helps block malware that is deployed on a computer. The error could allow hackers to install powerful malware on undetected systems.
NSA hackers often discover errors in the main software that can be exploited for malicious use. The agency has said for a long time that it notifies sellers frequently of such failures so that they can be repaired, but sometimes retains them and arms them for offensive use, such as spying on communications from a hostile foreign army.
But the NSA has been criticized for not always alerting the private sector of serious vulnerabilities. For example, Microsoft publicly denounced the agency in 2017 after the stolen NSA piracy tools that leaked online contributed to a global cyber attack involving a Windows flaw.
In that case, the president of Microsoft
wrote a blog post criticizing the US government. UU. for keeping the secret secret for their own purposes, building a powerful cyber weapon and then losing control of it. At that time, Mr. Smith compared the situation with "the US army that was robbed of some of his Tomahawk missiles."
The NSA said at the time that it had worked with Microsoft to solve the problem after learning that piracy tools had been compromised.
Later that year, the Trump administration launched a public roadmap, the first of its kind, which describes the administration's policies regarding major cybersecurity failures identified, often in popular consumer software, by agencies. US intelligence UU. The document sets guidelines for when the government would reveal the discovery of such failures and when to keep them secret for possible use in future offensive actions.
The public document describing the Vulnerability Variable Income Process, or VEP, said that an annual report would be written "at the lowest level of classification allowed and would include, at a minimum, an executive summary written at an unclassified level" that can be Provide to the Congress.
However, years later, such information has not been made public, and the lack of unclassified details has generated frustration at Capitol Hill, people familiar with the matter said.
The NSA’s recognition on Tuesday that it discovered Microsoft’s flaw and alerted the company that it was the first time the agency had done so publicly, Neuberger said. The development represented a philosophical change in the NSA that has always sought to balance its dual missions of foreign intelligence and cybersecurity, he said.
"It really is the evolution of a mission," said Neuberger. "We recognize that no government can secure its most critical networks without the help of the private sector."
Write to Dustin Volz at [email protected]
Copyright © 2019 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8