This would be so easy for the NSA etc. to do that I think we have to consider it as inevitably having occurred.
All they would have had to do is take a close look at any new changes committed to OpenSSL and other critical infrastructure software. Surely they have people doing that -- they would be remiss not to.
Even easier, I would bet a lot of money that they have at least some rudimentary static analysis tools to detect potential targets, and this sort of memory error is pretty low hanging fruit for such a tool. To me it seems almost certain that they knew about it and they certainly exploited it if they knew.
The bigger question to me is how many of these bugs have they rooted out that have not been made public yet?
Why don't we have groups doing that sort of analysis on our behalf? Programmers are at a fundamental disadvantage when it comes to testing and verifying their own code. You can't trust a shop to verify itself when it comes to infrastructure this critical.
Yeah--it should be a no-brainer. Running such critical code through as many static analysis tools you can get your hands on should be standard practice. I wonder why Coverity and the rest havent taken it upon themselves. I remember a story about Coverity running their tool on random open source projects and emailing them about issues they found. Maybe OpenSSL is too far in the hole to start that now.
Unfortunately, most people do not find this to be terribly exciting. Worse still, there is almost no demand for it; most programmers want to quickly hack out something cool, and by the time they begin thinking about security it is too late.
All they would have had to do is take a close look at any new changes committed to OpenSSL and other critical infrastructure software. Surely they have people doing that -- they would be remiss not to.