lolloj - Fotolia
In this week's Risk & Repeat podcast, SearchSecurity editors discuss Microsoft's sharp criticism of the NSA over the EternalBlue Windows vulnerability and WannaCry ransomware.
In the aftermath of the WannaCry ransomware attacks this month, Microsoft took the unprecedented step of publically calling out the National Security Agency for hoarding vulnerabilities and exploits, such as EternalBlue.
The WannaCry ransomware worm used a critical vulnerability in the Windows Server Message Block protocol, known as EternalBlue, which was released to the public by the Shadow Brokers last month.
The Shadow Brokers claim to have stolen EternalBlue and other exploits and cyberweapons from another hacking outfit called the Equation Group, which has been tied to the NSA. While Microsoft issued a patch for the vulnerability a month before its disclosure, many organizations failed to update their Windows systems and were left exposed to the WannaCry ransomware worm.
Brad Smith, president and chief legal officer at Microsoft, wrote a blog post regarding WannaCry and claimed it was "yet another example of why the stockpiling of vulnerabilities by governments is such a problem." He also criticized the NSA by name for failing to disclose EternalBlue and other serious exploits to vendors like Microsoft so they could be patched.
"This is an emerging pattern in 2017," Smith wrote. "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world."
In part two of Risk & Repeat's discussion on the WannaCry ransomware attacks, SearchSecurity Senior Reporter Michael Heller joins editors Rob Wright and Peter Loshin to discuss Microsoft's pointed criticism of the U.S. government, the repercussions of the NSA's practice of hoarding vulnerabilities and the effect WannaCry may have on the Vulnerabilities Equities Process.
Risk & Repeat: Analyzing President Trump's cybersecurity executive order
Risk & Repeat: Dangerous Windows bug sparks disclosure debate
Risk & Repeat: Symantec strives to restore certificate trust