On the heels of a widespread ransomware attack that may have used leaked National Security Agency hacking methods, Microsoft is calling for governments to cease stockpiling secret means of bypassing software security.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” wrote Brad Smith, president and chief legal officer at Microsoft, on a company blog Sunday evening.
WanaDecrypt0r, alternately known by names like Wanna Cry, struck hundreds of thousands of computers in more than 100 nations since the attack began Friday morning, with victims ranging from hospitals in the U.K. to a telecom in Spain, U.S.-based FedEx to the Russian Ministry of the Interior.
WanaDecrypt0r was so virulent in part because it used a Windows hacking tool that appears to have been stolen and leaked from the NSA. Though Microsoft had patched the security hole in Windows that tool used in March before it was leaked in April, businesses often lag in installing updates for reasons including industry-specific software being incompatible with the most current version of operating systems.
“[I]n February [we called] for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them,” wrote Smith.