On Monday, rumors swirled that Microsoft was preparing to release a particularly noteworthy software patch for a serious vulnerability in its Windows operating system.
“I get the impression that people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner,” tweeted Will Dormann, a vulnerability analyst at CERT-CC, a computer security-focused arm of the Pittsburgh-based nonprofit Software Engineering Institute. “Even more so than others. I don’t know… just call it a hunch? ¯_(ツ)_/¯”
Dormann’s “hunch” proved valid: In a Tuesday bulletin, Microsoft revealed the details of a troubling spoofing vulnerability. If exploited by attackers, the flaw would enable them to trick people into downloading malicious files that appeared to be from trusted sources. Microsoft urged customers in a blog post to “update their systems as quickly as practical.” (The company noted that it had “not seen it used in active attacks.”)
For those of us who are neither hackers nor systems administrators, the most interesting aspect of the flaw was the origin of its discovery: the U.S. National Security Agency. (Kudos to Brain Krebs, an independent investigative reporter, for connecting the dots about this earlier than others.)
This is the first time Microsoft has publicly credited the NSA for disclosing a software vulnerability to the company. (Longtime readers of this newsletter may recall an apparent backchannel between the NSA and Microsoft that seemed to avert a potential security disaster in 2017.) Historically keeping to itself, the NSA—jokingly referred to as No Such Agency—has broken with tradition.
This is not your parent’s NSA. The shadowy agency’s reputation was in shambles after former contractor Edward Snowden began leaking loads of internal documents detailing its practices and capabilities in 2013. In the years since, the NSA has been attempting to refurbish its public image, speaking more openly and showing up, undisguised, at industry events. Now, with the Microsoft patch, we see it even seeking recognition for its security findings.
Heck, Rob Joyce, former White House cybersecurity czar and NSA’s most public face, is now inviting people to drop by the NSA’s table to pick up “swag” at the cybersecurity industry’s RSA Conference in March. (Apparently, the agency will be giving out “I patched” stickers; similar to “I voted” stickers, but much, much nerdier.)
As businesses patch their computers, the NSA patches its reputation.