The U.S. National Security Agency (NSA) started a new chapter after discovering and reporting to Microsoft a vulnerability tracked as CVE-2020-0601 and impacting Windows 10 and Windows Server systems. In a phone conference NSA’s Director of Cybersecurity Anne Neuberger said that this is the first time the agency decided to publicly disclose a security vulnerability to a software vendor.n”We thought hard about that. When Microsoft asked us, ‘Can we attribute this vulnerability to NSA?’ we gave it a great deal of thought. And then we elected to do so and here is why,” Neuberger explained.
She added that “part of building trust is showing the data” and, as a result, “it’s hard for entities to trust that we indeed take this seriously and ensuring that vulnerabilities can be mitigated is an absolute priority.” Neuberger also said during the media call that the agency will make efforts towards becoming an ally to the cybersecurity community and private sector entities, and will begin to share vulnerability data with its partners instead of accumulating it and using it in future offensive operations. “Sources say this disclosure from NSA is planned to be the first of many as part of a new initiative at NSA dubbed ‘Turn a New Leaf,’ aimed at making more of the agency’s vulnerability research available to major software vendors and ultimately to the public,” journalist Brian Krebs reported.
NSA redefining itself
“We believe in Coordinated Vulnerability Disclosure (CVD) as proven industry best practice to address security vulnerabilities,” MSRC’s Principal Security Program Manager Mechele Gruhn added. “Through a partnership between security researchers and vendors, CVD ensures vulnerabilities are addressed prior to being made public.”
NSA’s new approach to building trust with the public and its partners redefines the agency’s cybersecurity mission as US Army General and NSA Director Paul M. Nakasone stated in July 2019. “The Cybersecurity Directorate will reinvigorate our white hat mission opening the door to partners and customers on a wide variety of cybersecurity efforts,” he added at the time.
“It will also build on our past successes such as Russia Small Group to operationalize our threat intelligence, vulnerability assessments, and cyber defense expertise to defeat our adversaries in cyberspace.”
The NSA security advisory also comes with mitigation measures for systems where installing the patches released by Microsoft today is not immediately possible. “Properly configured and managed TLS inspection proxies independently validate TLS certificates from external entities and will reject invalid or untrusted certificates, protecting endpoints from certificates that attempt to exploit the vulnerabilities,” the agency reveals. “Ensure that certificate validation is enabled for TLS proxies to limit exposure to this class of vulnerabilities and review logs for signs of exploitation.”