Microsoft said in a statement Monday night that it provides advance versions of its updates to some users under a special testing program. Jeff Jones, a senior director at Microsoft, declined to discuss specifics of the flaw “to prevent unnecessary risk to customers.”
The company did not immediately respond to a request for comment on Tuesday.
The NSA’s rare announcement of the flaw, along with its decision to warn Microsoft rather than exploit the bug for intelligence purposes, underscores the magnitude of the threat it could pose to businesses, consumers and government agencies worldwide.
The NSA said that, while it has shared vulnerability information with the private sector in the past, this marks the first time that it has come forward publicly to do so. The agency said the decision reflects an effort to build trust with cybersecurity researchers.
“Part of building trust is showing the data,” Anne Neuberger, the NSA’s director of cybersecurity, told reporters on a conference call Tuesday. Because the NSA has never allowed itself to be linked to a vulnerability disclosure, she said, “it’s hard for entities to trust that we take this seriously. And ensuring vulnerabilities can be mitigated is an absolute priority.”
The NSA did not use the vulnerability to exploit adversaries, and the bug was turned over to Microsoft as soon as it was discovered, Neuberger added. She said the NSA has not detected any other entities using the bug.
The Department of Homeland Security said on the call that it would issue a bulletin to federal agencies advising them to install the Microsoft patches immediately.
The flaw concerns a core Windows function that verifies the legitimacy of apps and programs, a feature known as CryptoAPI.
“It’s the equivalent of a building security desk checking IDs before permitting a contractor to come up and install new equipment,” said Ashkan Soltani, a security expert and former chief technologist for the Federal Trade Commission.
By compromising that validation feature, hackers could easily impersonate “good” software companies to install bad software, Soltani said, potentially allowing them to spy on computer users or hold their devices hostage for ransom.