Windows users know it's a good idea to apply security fixes to their PCs as soon as patches are publicly released to prevent malicious actors from infiltrating their machines. But what if, before a patch was issued, the U.S. government was able to exploit those vulnerabilities using information fed to it by Microsoft?
That's what Bloomberg suggests is happening in a recent report exposing a deep working relationship between a number of technology companies and American intelligence agencies. Microsoft provides the government with information about flaws in its software before publicly releasing a bug fix, the news agency reported today.
Microsoft reportedly has no knowledge of what the government does with the security information it provides, but two anonymous U.S. officials told Bloomberg that Microsoft is aware that the vulnerability information provided allows the U.S. to exploit the computers of terrorists and foreign governments.
Recent reports have highlighted the U.S. government's special interest in technology vulnerabilities. In May, Reuters reported that the U.S. government was one of the largest online buyers of security exploits and infiltration software from hackers and computer security firms. That news came shortly after the Washington Post reported the Pentagon's plan to expand its cyber command more than five-fold.
The complicated Stuxnet worm that crippled Iran's nuclear program in 2010 is reported to have been made in the U.S. and deployed at the command of President Obama.
The best defense
Microsoft's disclosures are ostensibly to bolster the government's defenses, however, giving multiple U.S. agencies a head start on risk assessment and mitigation. Foreign governments such as China and Iran are suspected of frequent hacking attempts into U.S. government and corporate networks, so the early warning can help the nation defend against unanticipated attack vectors.
Microsoft has not yet responded to our request for comment.
Update: Here's what Microsoft had to say.
Microsoft has several programs through which we disclose information regarding vulnerabilities, some of which have Government participants. Prior to any fix being released to the 1B computers that receive automatic security updates each month, Microsoft communicates with program participants after our engineering cycle is completed to ensure delivery of the most current information. While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers.
One example is our Microsoft Active Protections Program (MAPP), which supplies Microsoft vulnerability information to security software partners prior to Microsoft's monthly security update release so partners can build enhanced customer protections. Another example of information sharing is the Security Cooperation Program (SCP) for Governments. Membership provides key technical information on security vulnerabilities prior to the security update being publically available.
Sign up for CIO Asia eNewsletters.