The National Security Agency has discovered a major security flaw in Microsoft's Windows 10 operating system that could allow hackers to intercept seemingly secure communications.
But rather than exploit the flaw for its own intelligence needs, the NSA tipped off Microsoft so that it can fix the system for everyone.
Microsoft released a free software patch to fix it Tuesday and credited the agency for discovering the flaw. The company said it has not seen any evidence that hackers have used the technique discovered by the NSA.
Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.
"The user would have no way of knowing the file was malicious, because the digital signature would appear to from a trusted provider," the company said.
If successfully exploited, an attacker would have been able to conduct "man-in-the-middle attacks" and decrypt confidential information on user connections, the company said.
Some computers will get the fix automatically if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer's settings. Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA's involvement.
The vulnerability prompted the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security to issue an emergency directive mandating that federal agencies patch the vulnerability within 10 days.
“CISA has determined that these vulnerabilities pose an unacceptable risk to the federal enterprise and require an immediate and emergency action,” agency officials wrote in the directive, only the second one it’s ever issued. “This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.”
CISA recommended that agencies patch immediately.
Priscilla Moriuchi, who retired from the NSA in 2017 after running its East Asia and Pacific operations, said this is a good example of the "constructive role" that the NSA can play in improving global information security. Moriuchi, now an analyst at the U.S. cybersecurity firm Recorded Future, said it's likely a reflection of changes made in 2017 to how the U.S. determines whether to disclose a major vulnerability or exploit it for intelligence purposes.
Amit Yoran, CEO of security firm Tenable, said it is "exceptionally rare if not unprecedented" for the U.S. government to share its discovery of such a critical vulnerability with a company. Yoran, who was a founding director of the Department of Homeland's computer emergency readiness team, urged all organizations to prioritize patching their systems quickly.
The revamping of what's known as the "Vulnerability Equities Process" put more emphasis on disclosing unpatched vulnerabilities whenever possible to protect core internet systems and the U.S. economy and general public.
Those changes happened after a group calling itself “Shadow Brokers” released a trove of high-level hacking tools stolen from the NSA.
Fifth Domain’s Andrew Eversden contributed to this report.