In a blog post on Sunday, Microsoft President Brad Smith appeared to tacitly acknowledge what researchers had already widely concluded: The ransomware attack leveraged a hacking tool, built by the U.S. National Security Agency, that leaked online in April.
“This is an emerging pattern in 2017,” Smith wrote. “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.”
He also poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – against sharing those flaws with technology companies to better secure the internet.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Smith wrote. He added that governments around the world should “treat this attack as a wake-up call” and “consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
Counterpoint – if the NSA could find it, Microsoft’s “red team” should also have been able to find it and fix it. Given this vulnerability likely existed for somewhere over 15 years as it affected Windows XP machines, I wouldn’t give Microsoft a pass.
I’m waiting for some smart attorney to figure this out and sue Microsoft’s a$$ off.
In the Open Source community, we share our work and collectively work on problems. My part-time passion is designing websites for the blind – I am the technology chair for southern Wisconsin Lions – so I am routinely faced with dilemmas out of the ordinary for the general community. We have found bugs in the operating system for not just Microsoft but also Apple and Google’s Android. These companies have known about these holes for years but, for whatever reason, refuse to fix them.
I would think if a company supples a known defective product that there would be some liability attached.