There's a diary on the front page today about a long-discredited theory about security vulnerabilities, the NSA, and Microsoft here. The short form of what I'm going to write is that the story it promotes is simply wrong. The long form is below the reality-based imaginary Cheeto.
OK, so the beginning of the story is that Microsoft discloses vulnerabilities to the NSA before they are publicly disclosed and patched. That part of the story is true, although distorted. The follow-on is that this release allows the spooks to break into our systems. That part is, for lack of a better term, absurd.
(1) First, this particular CT has been around ever since patch Tuesday was first instituted by Microsoft. It's been debunked any number of times.
It is true that MSFT releases details to the NSA early. It also releases those details to KFC. Perhaps the Colonel is using those details to impose adware on our computers to encourage to buy more salt-flavored gravy using subliminal messages? The full truth is that Microsoft, like every major computer software manufacturer, pre-releases vulnerability details and the patches associated therewith to every customer with a suitable support agreement. It's part of the agreement.
(There is, by the way, a really good reason for this. Large entities have large bespoke packages running on Windows, and those packages can break when a patch is installed or a work-around is applied. Big users, in particular, need time to test packages before they go out, lest they be left off-line after the package is applied, or, worse, remain vulnerable.)
(2) "But...a properly written bespoke piece of software shouldn't break!", you say. You're right, but here's the dirty little loudly trumpeted fact about software. All software has bugs. All of it; every bit.
You think not? What would happen if you pulled the plug on your box? Would you retain all the recent data you'd received? No; you'd lose anything which hadn't made it all the way to disk. Despite the fact that there's no way to avoid that (at least in software; there are hardware solutions,) the simple fact remains that it's a bug. And that's just a ridiculous example; there are far more serious ones arising from bugs in the silicon on which the code is running.
But even if the hardware were perfect, all software would still have bugs. The code on a modern system is layers and layers deep, starting with the stuff which touches the actual hardware, the drivers, and running up and up to the thing which is showing you this text. None of that code is perfect -- for instance, as of a year ago, GCC, the compiler used to produce essentially every piece of GPL software in the world, had exploitable bugs. Compile the wrong file, and, hey presto, you're pwned! (If you're interested, those bug were disclosed at least four years ago. So much for quick fixes.)
But GCC is nothing special. MSVC and the version of C which lies on top of llvm both have disclosed vulnerabilities. And compilers are nothing special -- every piece of code has bugs, and some of those are exploitable. Always.
Software is an impossible craft. We who build it learn early that we can't do it, and it takes a while thereafter to learn the dirty little secret that no one else can, either.
(3) So does pre-disclosure even help the NSA to invade our systems and steal our precious bodily fluids? I mean, after all, perhaps the NSA tells Microsoft which bugs not to patch! Ignoring how close this comes to out-and-out conspiracy theory, it's absurd. Since all software has bugs, people have developed standard tools to find exploitable ones. The most successful of these are (relatively) stupid brute force programs that repeatedly send corrupt data to a system and wait for it to fail in one of several ways. A person then takes the failure and tries to exploit it.
Everybody knows about these -- and, no, the NSA didn't develop them first; they were first developed in the black hat community. Nevertheless, if the NSA wanted vulnerabilities in Windows, they could have them. If they wanted vulnerabilities in MacOS X, they could have them. (Although the current word on the street is that nobody attacks MacOS X -- "it's not enough of a challenge" is how I've heard it.) The NSA has racks of servers running fuzz testers (which is what these programs are called) and any number of the best grey hats out there have moved to Maryland, near to Ft. Meade, and vanished from the community. You guess what they do, OK?
So, does Microsoft help the NSA penetrate our systems? No. The usual evidence (early disclosure) has nothing to do with the NSA, and everything to do with the needs of large customers using any system. Oracle does the same thing when they release a patch set, as does Apple. Is Microsoft's code particularly buggy, and thus particularly penetrable? No; every operating environment has vulnerabilities. Could Microsoft even help the NSA by disclosing? No; penetration is too well understood, and NSA has clearly built up its own in-house expertise too well.
It's just not true, no matter how much you want to hate Mr. Softie.