NSA finds Windows open
The United States’ National Security Agency (NSA) has discovered a major security flaw in Microsoft's Windows 10.
The NSA tipped off Microsoft, leading it to release a free software patch to fix the flaw, claiming it has no evidence that hackers have used the technique.
Amit Yoran, chief executive of security firm Tenable, said it is “exceptionally rare if not unprecedented” for the US government agency to tell a company about vulnerability, rather than exploit it for itself.
An advisory issued by the NSA said “the consequences of not patching the vulnerability are severe and widespread”.
The flaw allowed attackers to exploit the vulnerability by spoofing a code-signing certificate, making it look like a file came from a trusted source.
It opened the possibility of “man-in-the-middle attacks”, where hackers decrypt confidential information they intercept on user connections.
“The biggest risk is to secure communications,” said Adam Meyers, vice-president of security intelligence firm CrowdStrike.
Automatic updates will have seen many systems fixed already, while the patch can be manually installed through Windows Update in the computer's settings.