Microsoft and other U.S. firms disclose security flaws to spies before customers, report claims

Imagine you’re a government customer of Microsoft(s msft)’s, in some country that isn’t the U.S. You’re already anxious over the PRISM scandal and its implications for data processed in the firm’s cloud. Now this: according to a Bloomberg report on Friday, when Microsoft finds a vulnerability in its software it informs U.S. intelligence agencies before its own customers.

So, in theory, apart from having advance notice to patch their own systems, those agencies could exploit that zero-day vulnerability to hack into your data, before Microsoft gives you a chance to patch the flaw. And it’s not just Microsoft. According to the report, “thousands of [U.S.] technology, finance and manufacturing firms” are closely aligned with American national security agencies, passing them information such as vulnerability details and hardware and software specifications, and giving them access to overseas facilities and data.

In return, Bloomberg claims, the agencies give the companies information about foreign attacks on their systems. Google(s goog) is cited as an example of this, with Sergey Brin allegedly having been invited to sit in on a secret intelligence briefing after an attack by Chinese hackers in 2010. Of course, the companies aren’t the only sources of useful flaws — security expert and activist Christopher Soghoian detailed late last year how some security researchers sell vulnerability information to governments for large sums of cash too. “This is the [U.S.] government buying a flaw without the intention of fixing it,” Soghoian explained in his Harvard University presentation. (Thanks to Jeff Ausloos for alerting me to that one.)

Backbone hacking

The Bloomberg report also notes claims recently made by NSA leaker Edward Snowden that the U.S. hacks network backbones in China and Hong King. Although the evidence for this “Blarney” program appears scantier than that for PRISM, the gist is that the scheme captures metadata from internet-connected devices such as computers and smartphones around the world, including OS version, Java software version and browser. Again, this would make it easier for the agencies to target and hack such devices.

On the domestic front, the piece also claims a security system called Einstein 3, which is meant to protect U.S. government systems, can “expose the private content of the emails under certain circumstances.”

Who’s the customer?

But it’s the claims about U.S. tech vendors and their apparently voluntary information exchange with the country’s spy agencies that will most bother governments and their public sector organizations around the world.

Microsoft spokesman Frank Shaw seemingly confirmed this cooperation in the Bloomberg article, saying the early release of vulnerability information helps to give the U.S. government an “early start” in protecting its systems. Other “trusted partners” reportedly include Intel(s intc)’s security business McAfee, which apparently acts as a consultant of sorts to spy agencies wanting to know more about network architectures around the world.

There’s no suggestion that any of this data-sharing is illegal – but for many governmental customers around the world it will suggest that their vendors have undisclosed interests that don’t align with their own. For some in the U.S. tech industry, these revelations may turn out to be as damaging as PRISM, if not more so.