The US spy agency has urged all Windows 10 users to update their computers after it found a “serious vulnerability” in the Microsoft operating system that affects millions of computers.
Neal Ziring, Technical Director at the National Security Agency said on Tuesday that the agency had alerted Microsoft that the vulnerability could undermine security measures, allowing an attacker to send malicious software without the user knowing.
“Above anything else, we urge everyone to take action and patch their systems,” he wrote in a blogpost.
The glitch affects a security mechanism that home users, businesses and governments rely on, allowing an attacker to pretend to be someone they are not, and could send malicious software from anywhere in the world, the agency said. This could lead to sensitive data being compromised or computers being exploited for other hacking campaigns.
Microsoft confirmed the flaw, adding that “the user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider”.
Microsoft appeared to play down the issue, describing it as “important” but not at the highest critical level. It said it had no evidence that criminals or governments had actively exploited it.
The announcement caused a stir among computer experts, since the NSA has historically held onto vulnerabilities for its own surveillance campaigns. In this case, the NSA said it discovered and disclosed the bug to Microsoft “quickly and responsibly” so the technology company could find a fix that could be applied by asking users to update Windows 10 and Server 2016/2019.
Microsoft has previously criticised the agency for storing up bugs and glitches to use at its whim.
This apparent turning of a new leaf could be due to the criticism the NSA faced when it emerged that a Windows flaw it turned into a cyber weapon was leaked by a criminal hacking group called the Shadow Brokers in 2017. The tool, dubbed EternalBlue, was later used in the WannaCry ransomware attack that impacted a number of NHS trusts and companies costing billions in damage. The NSA had kept the tool quiet from Microsoft for five years.
Buzz around cyber security hit a peak this month after US officials warned that private companies might be targets by Iranian hackers following military confrontation between the two countries. A Department for Homeland Security advisory published last week warned: “Be prepared for cyber disruptions, suspicious emails, and network delays”.