> Either NSA's role involves using zero-day exploits, in which case they shouldn't disclose them; or NSA's role doesn't involve using zero-day exploits, in which case it shouldn't be looking for them and would have nothing to disclose.
Third possibility: their role involves securing domestic infrastructure, in which case they should be looking for vulns and getting them fixed. IIRC this actually is part of their statutory mandate, alongside offensive operations.
That being said, it still wouldn't help against WannaCry because Microsoft made a blunder when they disclosed the vuln by patching new versions of Windows while they left majority of XP installations unfixed. Even without the NSA leak somebody may have reverse engineered the bug from the released updates - such things happened in the past.
> Third possibility: their role involves securing domestic infrastructure, in which case they should be looking for vulns and getting them fixed. IIRC this actually is part of their statutory mandate, alongside offensive operations.
This sounds similar to what IAD does. The difference is that IAD focuses on securing systems against entire classes of vulnerabilities and attacks.
SID has the mission of gathering signals intelligence, so that is why it makes sense for them to utilize individual zero day vulnerabilities. They need to get into an adversary system, so vulnerabilities are required (when needed) to get that access.
How do you propose to solve the conundrum of this vulnerability is so bad, MS needs to release a fix, even for unsupported OSes, and get people still running those unsupported OSes to install the fix without disclosing there's a critical issue?
I'm not saying they shouldn't be disclosing that the patch is critical, I said that in the case of ancient bugs affecting all versions of Windows they should release all patches at the same time.
Wow, that's an old post. For currently supported versions I believe they released all patches at the same time, but XP was a problem because users without extended support contracts were left vulnerable which facilitated spread of WannaCry until they pushed updates to everyone. It's Microsoft's policy not to release fixes for unsupported versions to the public (this was an exception) and it leads to this kind of problems.
Third possibility: their role involves securing domestic infrastructure, in which case they should be looking for vulns and getting them fixed. IIRC this actually is part of their statutory mandate, alongside offensive operations.
That being said, it still wouldn't help against WannaCry because Microsoft made a blunder when they disclosed the vuln by patching new versions of Windows while they left majority of XP installations unfixed. Even without the NSA leak somebody may have reverse engineered the bug from the released updates - such things happened in the past.