|
|
|
|
|
|
by spdgg
707 days ago
|
|
|
There's an alternative explanation. MSFT and the intelligence community were both aware of the flaw and keeping it's existence. Unfortunately, it was weaponized against them (as can happen in these situations). To be clear: I am speculating for the sake of discussion. |
|
|
"The policy also includes all vulnerabilities (hardware or software) that were “newly discovered and not publicly known,” regardless of whether they were discovered by the government or purchased on the grey markets, which sell to governments and other hacking groups. However, in a notable loophole, agencies did not have to submit vulnerabilities that were not “newly discovered.” That is, if the zero day was discovered prior to 2010, they could be retained with no subsequent review. Indeed, once a vulnerability went through the process and was retained there was no periodic review to see if the decision was still solid risk management. Also, this process would have excluded non-commercial vulnerabilities and probably those that were not made or used in the United States or by its allies. If the CIA or NSA were able to get their hands on a zero day in a Russian-made S-400 air defense missile system, they would not need DHS concurrence to keep it secret."
There are a few ways for feds to avoid disclosing zero-days they're aware of, but I don't think any of them apply in this instance. Maybe they have something equivalent to an ISOO notice to prevent news orgs from publishing classified information to prevent Microsoft, etc. from disclosing security vulnerabilities they're actively using?