NSA Used Windows Bugs as Spy Tools

John Lister's picture

Microsoft says it's patched most of the recently revealed security flaws said to have been used by the National Security Agency (NSA) for spying. But the incident is a reminder not to rely on unsupported editions of Windows such as Windows XP and Vista. Windows Vista officially reached its end of extended support April 11, 2017.

A group calling itself "Shadow Brokers" is trying to auction what it says is a set of tools that the NSA were using for surveillance by taking advantage of security failings in widely used software. While that's a bold claim - particularly as it means the NSA had its own security lapses that allowed the tools to be stolen - independent sources suggest it is credible. However, the tools themselves may be several years old. (Source: zdnet.com)

One theory is that the tools were leaked from a team of cyber experts known as the "Equation Group" that's thought to work with the NSA, and may have helped develop Stuxnet, a virus that spread widely but was designed to specifically target Iran's nuclear operations.

Although Shadow Brokers are keeping the full set of tools to give to a winning bidder, they have produced enough detail about the tools to show what the relevant flaws may be. Microsoft says it's now completed an analysis of 12 of the specific threats.

Three Bugs Needed New Patches

Of these, six were known issues that were patched many years ago. Another three were patched in a security update last month. That may explain why the planned February update was delayed to the point that it was effectively merged with the March update. That highly unusual move could be because Microsoft wanted to be sure of fixing the problem and then getting it out as soon as possible.

With the remaining three issues, Microsoft said it wasn't able to replicate the flaws in any of the currently supported versions of Windows from 7 onwards. That may well mean the flaw affected earlier editions of Windows such as the no-longer supported XP and Vista. (Source: microsoft.com)

XP And Vista Users On Their Own

This marks an important step as Microsoft is at least giving the impression it didn't worry about whether or not these earlier editions were at risk. It's a firm reminder that Microsoft has passed the point where the hassle of continuing to support these editions long past the original cut-off date outweighs the risk to its reputation if people and businesses that continue using these outdated editions suffer hacking or other damage.

Microsoft also made a point of reissuing its backing of what it calls responsible disclosure, in which people who discover flaws should inform the software companies in question and not go public with the flaw until a fix has been developed. That could be a dig both at Shadow Brokers for revealing the flaws and also the NSA for using them as a surveillance method rather than informing Microsoft.

What's Your Opinion?

Is Microsoft right to not check or fix security flaws in older versions of Windows? Should businesses and people that continue using XP or Vista get any sympathy if they suffer security problems? Does the NSA's work outweigh any responsibility to tell software companies about bugs that could put the public at risk?

Rate this article: 
Average: 5 (5 votes)

Comments

Dennis Faas's picture

This is a very good reminder that Windows Vista users should either upgrade their computer hardware (which often includes the latest edition of Windows), or to keep their current hardware and upgrade to another operating system such as Windows 10 or Linux. If anyone reading this article needs help with the migration or needs to ask some questions, feel free to email me. To better serve you, I can offer a free 15 minute 1-on-1 consultation over your desktop (using my remote desktop support service) to review your hardware, installed programs, and user data to provide you the best possible approach to an upgrade, plus answer any questions you may have.

couchmt_4698's picture

Regarding Windows vulnerabilities, I can assure you that the NSA is not interested in monitoring the telephones, computers or other devices of innocent American citizens. Having said that, I would further aver that the NSA's function is to make the nation secure, and each case of a determined vulnerability in companies' software has to be judged on its own as to whether the work of the agency supersedes other concerns.

Regarding the recalcitrance to upgrade their computer systems, once companies have been given ample warning of the cessation of support for a particular software release, that should be sufficient, I would think.

matt_2058's picture

I don't think MS has an obligation to ensure complete operability of old OS versions. If MS says 10-year shelf-life, then that's it. If they say 5 yrs, then it's 5. Anything longer is gravy. As long as they state that at time of purchase, just like any other product warranty. Use it longer at your own risk.

Should the NSA warn software companies? Yes! Why not? That's like a city leaving all the re-tread debris on the highway because a drunk has more of a chance of hitting crap and getting a flat, making it easier to catch them. Sorry, but that's the best I could do on the fly!

I don't think the NSA as an agency really cares about the average citizen's doings. I do believe there are people within the agencies that abuse the positions they have. That's where I think the monitoring and controls need to be applied, the misuse and abuse. It happens all the time....IRS personnel, law enforcement, bank employees, etc looking into -exes, neighbors, family. Nosy busy-bodies.

That's where I'd like to see changes in the law, to address the misuse and abuse of a system that has people's information. Give the people something to fight back with!

equestrian_colt's picture

F this Nazi wannabe ran system.

dan400man's picture

Unless you live in a cave or under a rock, you have no excuse for not heeding the warnings made over the years, either in the MSM or in those annoying popups that Microsoft added to warn users. I have no sympathy for anyone who ignored the warnings.

Time's picture

Give mew a break as to Microsoft not having an obligation to fix the problems in their OS systems old or new. Every single OS that Microsoft put out had problems from the start and all throughout it's so called shelf life and after it was taken off the shelf. If you put out a broken product from the start and knew it was flawed and did it anyway, you should be obligated to fix it until you make it right!