The National Security Agency (NSA) has recently spotted a major security vulnerability in Microsoft’s Windows 10 operating system. This flaw, if exploited, could allow hackers to intercept communications (both encrypted and otherwise). But in this case, the NSA tipped off Microsoft so that the software giant can fix the system for everyone. Soon after the NSA reported the flaw to Microsoft, the company released a free software patch to fix the flaw earlier this week and also credited the intelligence agency for discovering it. Microsoft clarifies it has not seen any evidence that hackers have used the technique.
Microsoft said that the vulnerability could be exploited by spoofing a code-signing certificate so it looked like a file came from a trusted source. "The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft said. If successfully exploited, attackers would have been able to conduct "man-in-the-middle attacks" and decrypt confidential information they intercept on user connections, the company further added.
For those of you who have the automatic update option turned on, they will get the fix automatically following the patch. Others can get it manually by going to Windows Update in the computer’s settings. Microsoft typically releases security and other updates once a month. Neither Microsoft nor the NSA said when the agency privately notified the company. The agency shared the vulnerability with Microsoft "quickly and responsibly," according to Neal Ziring, technical director of the NSA’s cybersecurity directorate. An advisory sent by the NSA on Tuesday said: "the consequences of not patching the vulnerability are severe and widespread."
Amit Yoran, CEO of security firm Tenable, said it is “exceptionally rare if not unprecedented” for the U.S. government to share its discovery of such a critical vulnerability with a company. Yoran, who was a founding director of the Department of Homeland Security’s computer emergency readiness team, urged all organizations to prioritize patching their systems quickly.