Microsoft says the outbreak of WannaCry ransomware on 12 May reveals why governments shouldn’t stockpile software vulnerabilities.
Microsoft’s president and chief legal officer Brad Smith thinks governments’ hoarding of flaws is a “problem.”
These bugs might be valuable to the CIA and NSA, government agencies which can and do exploit flaws to advance the national security interests of the United States government.
But bad guys invariably find and leak these security holes, which places ordinary users at risk of attackers using exploit code to target unpatched systems.
As Smith explains in a blog post:
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
Obviously, Smith is referring to the events of 12 May.
On that day, an updated version of WannaCry ransomware infected the United Kingdom’s National Health Service (NHS), the telecommunications provider Telefonica, and other high-profile within a matter of hours. As of today, it had spread to over 150 countries and reached more than 200,000 victims in an attack that exploited CVE-2017-0143, a Windows-based remote code execution (RCE) vulnerability.
The Redmond-based tech giant patched the bug on the latest Windows versions in March 2017. But there was no fix initially for Windows XP, an operating system which many customers continue to use notwithstanding its end-of-life status.
Microsoft therefore took the highly unusual step to release an update for Windows XP users and urge them to update their software (if possible) as soon as possible.
Microsoft also had something to say to governments that make attacks like the WannaCrypt outbreak possible. Smith delivers the message perfectly:
“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new ‘Digital Geneva Convention‘ to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
WannaCry helps illustrate the importance of governments cooperating with the private sector and the security industry to protect users. But as we all know, public agencies have lots of interests besides defending ordinary people, and some of those goals don’t benefit from transparency.
Let’s just hope the memory of this outbreak leads to some governments to work towards patching rather than stockpiling vulnerabilities. The world doesn’t need another WannaCry attack months or years from now to remind us all of what could happen otherwise.
For more discussion on the issue, make sure to listen to this episode of the “Smashing Security” podcast.
Smashing Security #021: 'WannaCry - Who's to blame?'
Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “Microsoft: WannaCry outbreak reveals why governments shouldn’t hoard vulnerabilities”
I think this whole story is BS. Microsoft is the one responsible because they want to get rid of the old (Windows XP) and force the new crappy windows 10 spyware on everyone.
Governments should not hold back vulnerability knowledge: the information may become known by a breach, or by an accidental or intentional leak. It may, as a result, become known to criminals who likely will use it for criminal purposes, or sell it on to others who will. On the other hand, governments can use vulnerabilities in ways that many would consider more beneficial than harmful.
Criminals should not hold back vulnerability knowledge: they are likely to use the information for criminal purposes or sell it on to others who will. We can pretty much guess how well that will work out.
Private (non-criminal) organizations should not hold back vulnerability knowledge: the likely purpose of doing so is to sell it on to governments or other private organizations, some of which might use the information for criminal purposes or sell it on further to others who will.
Both governments and private organizations may obtain information about vulnerabilities by their own research, by stealing it from other governments or private researchers, purchasing it from private organizations, or taking advantage information leaked either intentionally or by accident.
In the aggregate, private research into vulnerabilities, including by developers and vendors such as Microsoft, probably exceeds similar government and government sponsored research by an order of magnitude or more. Government activity, including by the NSA and CIA is reasonably a matter for some concern, but focusing on these two agencies, or even all similar government agencies is a serious misdirection.
Those who fell victim to this particular exploitation generally were
– users of products for which Microsoft discontinued support two or more years past;
– users of unauthorized Microsoft products that do not qualify for updates;
– users who had not applied patches for very high severity vulnerabilities that had been available for about eight weeks.
The extremely rapid spread, in addition, seems likely to have been facilitated by overly permissive firewall configurations that exposed an outdated and deprecated version of the SMB protocol on the public Internet.
The NSA may be in for some blame, but there is more than enough for others, the first of which is Microsoft, which developed the vulnerable software and apparently overlooked the vulnerability for 15 years or more.