NSA can no longer keep all security vulnerabilities under wraps

The NSA must disclose and not exploit vulnerabilities that the service discovers in most cases. That is what US President Obama has decided. However, there is an exception for ‘domestic security and law enforcement’.

If the security vulnerabilities are reported, they can be solved, writes the American newspaper The New York Times, citing anonymous sources. However, according to the paper, the homeland security and law enforcement exception could allow the service to still exploit security vulnerabilities.

Obama is said to have made the decision, the impact of which has yet to be seen, in January. A committee reviewing the NSA’s powers at the time recommended that the NSA no longer build security vulnerabilities into encryption systems. In addition, zero-day vulnerabilities that are not yet patched should be patched rather than exploited.

On Friday, a US news agency reported that the NSA has been abusing Heartbleed for two years, a bug in OpenSSL that allows clients to read parts of the internal memory of a vulnerable server. The NSA allegedly kept the bug quiet so that the bug would not be patched and could be exploited permanently. The NSA itself denies that. The bug was recently discovered and patched.

US government officials are critical of Obama’s decision. They note that foreign governments like those of Russia and China will not follow the example of the United States and that exploiting unpatched security vulnerabilities could lead to war averted. Previously, the NSA exploited zero-day leaks to disrupt an Iranian nuclear facility with the Stuxnet virus.

Incidentally, the NSA can also continue to exploit vulnerabilities that have already been patched: many computer users do not update their software.