Friday, 28 July 2017
Latest news
Main » U.S. should not stockpile cyber weapons, Microsoft says

U.S. should not stockpile cyber weapons, Microsoft says

20 May 2017

The company goes on to note that it released an update in March that should protect against this vulnerability automatically (Microsoft Security Bulletin MS17-010).

Urging businesses and computer users to keep their systems current and updated, Smith says the WannaCry attack shows the importance of collective action to fight cybercrime.

In April, a group known as Shadow Brokers leaked NSA tools that were used to attack and break into Windows computers. As of today, it had spread to over 150 countries and reached more than 200,000 victims in an attack that exploited CVE-2017-0143, a Windows-based remote code execution (RCE) vulnerability.

More news: Sunderland goalkeeper can succeed De Gea says Manchester United legend

He argued there should be "a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them". It locks up Windows users' computers, and asks for a $300 ransom to unlock them, paid in bitcoin. Criminals used the NSA's leaked EternalBlue vulnerability to attack Windows machines with WannaCry ransomware.

Microsoft ended up distributing the free patch for the older versions on Friday - the day the ransomware was detected.

The WannaCry software is particularly virulent because it doesn't necessarily require users to take any action, like clicking a link or downloading software, to spread; it can also spread automatically through file-sharing systems on networks. Now, Microsoft is putting the blame for this attack directly on the governments who hid security flaws for their own benefit. "So making a payment does not mean you're going to get your data back", said Bossert.

More news: Roadside bomb kills 11; attacks kill 10 Afghan policeman

"The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. Otherwise they're literally fighting the problems of the present with tools from the past", it said.

Responding to the incident, the company's president and chief legal officer, Brad Smith, criticized the USA government's weaponizing of computer vulnerabilities, the leak of which enabled this attack, and the dangers of not informing tech companies about them. However, as of now, there is no patch for these older operating systems for the EsteemAudit vulnerability.

With more than 3,500 security engineers at the company, Microsoft said, it is fighting cybersecurity threats with constant updates to its Advanced Threat Protection service.

More news: Edouard named as French premier

Smith's statement made no mention of pirated Microsoft software, users of which can not download the security patch.