The National Security Agency (NSA) had found a serious security vulnerability in Microsoft’s Windows 10 operating system that could allow hackers to cut off what appear to be secure communications.
Instead of keeping the secret, the NSA tipped off the company so it can address the system. Microsoft has then rolled out a free software patch to solve the flaw on Tuesday and mentioned the intelligence agency for finding it. The tech giant said it did not find any proof that hackers ever used the vulnerability.
Amit Yoran, chief executive of the security firm Tenable, commented that it is ‘exceptionally rare if not unprecedented’ for the United States government to tip off a company regarding any finding of such major flaws.
Mr. Yoran, who was a founding director of the Department of Homeland Security’s computer emergency readiness team, warned all companies to make sure they patch their systems as soon as possible. A piece of advice issued by the NSA said that ‘the consequences of not patching the vulnerability are severe and widespread.’
A Major Issue
Microsoft explained that a hacker could have exploited the flaw by spoofing a code-signing certificate, so it appeared like a file from a trusted source.
“The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider,” the company said.
If they had managed to attack, they would have conducted a ‘man-in-the-middle-attack’ and decrypt confidential data they cut out on user connections, Microsoft explained.
“The biggest risk is to secure communications,” said Adam Meyers, vice-president of intelligence for security firm CrowdStrike.
Some machines will receive the patch automatically if they have the automatic update option enabled in the settings. Others can manually install it by heading to the Windows Update section in the computer’s settings. Microsoft usually rolls out security and other updates once per month. Neither the company, not the NSA mentioned when the agency notified Microsoft.
According to Neal Ziring, technical director of the NSA’s cybersecurity directorate, the NSA tipped off Microsoft ‘quickly and responsibly.’