NSA detects security glitch in Windows 10
The National Security Agency discovered a security flaw in Microsoft’s Windows 10 operating system that could allow hackers to intercept seemingly secure communications.
But rather than exploit the flaw for its own intelligence needs, the NSA tipped off Microsoft so that it can fix the system for everyone.
Microsoft released a free software patch Tuesday and credited the agency for discovering the flaw. Microsoft said it has no evidence that hackers used the technique discovered by the NSA.
Amit Yoran, CEO of security firm Tenable, said it is “exceptionally rare if not unprecedented” for the U.S. government to share its discovery of such a critical vulnerability with a company. Yoran, who was a founding director of the Department of Homeland’s computer emergency readiness team, urged all organizations to prioritize patching their systems quickly.
An advisory sent by the NSA on Tuesday said “the consequences of not patching the vulnerability are severe and widespread.”
Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked as if a file came from a trusted source.
“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” the company said.
If the flaw were successfully exploited, an attacker could have conducted “man-in-the-middle attacks” and decrypt confidential information on user connections, the company said.
Some computers will get the fix automatically if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer’s settings.
Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA’s involvement. Microsoft declined to say when it was notified by NSA.
Priscilla Moriuchi, who retired from the NSA in 2017 after running its East Asia and Pacific operations, said this is a good example of the “constructive role” that the NSA can play in improving global information security.