Microsoft and other U.S. firms disclose security flaws to spies before customers, report claims


Imagine you’re a government customer of Microsoft(s msft)’s, in some country that isn’t the U.S. You’re already anxious over the PRISM scandal and its implications for data processed in the firm’s cloud. Now this: according to a Bloomberg report on Friday, when Microsoft finds a vulnerability in its software it informs U.S. intelligence agencies before its own customers.

So, in theory, apart from having advance notice to patch their own systems, those agencies could exploit that zero-day vulnerability to hack into your data, before Microsoft gives you a chance to patch the flaw. And it’s not just Microsoft. According to the report, “thousands of [U.S.] technology, finance and manufacturing firms” are closely aligned with American national security agencies, passing them information such as vulnerability details and hardware and software specifications, and giving them access to overseas facilities and data.

In return, Bloomberg claims, the agencies give the companies information about foreign attacks on their systems. Google(s goog) is cited as an example of this, with Sergey Brin allegedly having been invited to sit in on a secret intelligence briefing after an attack by Chinese hackers in 2010. Of course, the companies aren’t the only sources of useful flaws — security expert and activist Christopher Soghoian detailed late last year how some security researchers sell vulnerability information to governments for large sums of cash too. “This is the [U.S.] government buying a flaw without the intention of fixing it,” Soghoian explained in his Harvard University presentation. (Thanks to Jeff Ausloos for alerting me to that one.)

Backbone hacking

The Bloomberg report also notes claims recently made by NSA leaker Edward Snowden that the U.S. hacks network backbones in China and Hong King. Although the evidence for this “Blarney” program appears scantier than that for PRISM, the gist is that the scheme captures metadata from internet-connected devices such as computers and smartphones around the world, including OS version, Java software version and browser. Again, this would make it easier for the agencies to target and hack such devices.

On the domestic front, the piece also claims a security system called Einstein 3, which is meant to protect U.S. government systems, can “expose the private content of the emails under certain circumstances.”

Who’s the customer?

But it’s the claims about U.S. tech vendors and their apparently voluntary information exchange with the country’s spy agencies that will most bother governments and their public sector organizations around the world.

Microsoft spokesman Frank Shaw seemingly confirmed this cooperation in the Bloomberg article, saying the early release of vulnerability information helps to give the U.S. government an “early start” in protecting its systems. Other “trusted partners” reportedly include Intel(s intc)’s security business McAfee, which apparently acts as a consultant of sorts to spy agencies wanting to know more about network architectures around the world.

There’s no suggestion that any of this data-sharing is illegal – but for many governmental customers around the world it will suggest that their vendors have undisclosed interests that don’t align with their own. For some in the U.S. tech industry, these revelations may turn out to be as damaging as PRISM, if not more so.


Causal Observer

According to sources within the so-called elite of the hackerdom , spy agencies of the world
( not only the US) are paying big money for the newly discovered zero-day exploits ( not only of the M$-Windows)

biozombie upwired into the cloud

… Microsoft “patches” ARE the back doors … ever since 1984 the truth has been orwellean


This isn’t surprising. The US government is spying on all Americans in every way possible. Power corrupts and absolute power corrupts absolutely.


For a take I haven’t seen anywhere else, @sggrc Steve Giibson on PRISM, the Security Now podcast about it is here:

Tim Acheson

The purpose of early warnings is clearly to help defend vital US infrastructure against attack by foreign and domestic hackers. Microsoft and the other domestic tech companies are required to provide information on security risks as soon as it is available. This is common sense. The US would not want to the last one to receive security fixes. If the government uses the data to access foreign systems, that’s obviously not Microsoft’s fault, but I’ve yet to see evidence that this has ever happened.

It’s irresponsible to spin this into a sensationalist scare story.

David Meyer

I have no doubt that’s a major reason for the information sharing, but that’s not going to comfort foreign users of Windows etc, is it?


Tim Acheson is number one reputation management agent from Microsoft’s marketing department. He’s the first one to comment on all the site that has the same story


Thank you, Tim. The way this story is presented is bordering on BS.


What about other countries. Should they not receive the 0 day warings as well. After this revelation i am not sure why any other governments should use MS software.


I agree fully, and say that being one who has been extremely critical of the NSA data collection.

Comments are closed.