Windows 10
Pixabay.com

The National Security Agency alerted Microsoft to a major flaw in its Windows operating system that could let hackers pose as legitimate software companies. Last Tuesday, Microsoft (MSFT) launched a software update to fix the vulnerability.

The released patch for Windows 10 operating system was to fix a major vulnerability that could expose users to breaches or surveillance.

Nowadays, Windows 10 is the most widely used operating system.

The aforementioned vulnerability is found in a decades-old Windows cryptographic component, known as CryptoAPI. One function is it allows developers to digitally sign their software, proving that the software has not been tampered with.

This is a departure for the NSA from its past strategy of keeping security flaws under wraps to exploit for its own intelligence needs.

During a press conference on Tuesday, they said the "serious vulnerability" could be used to create malicious software that appeared to be legitimate.

According to the NSA, "The consequences of not patching the vulnerability are severe and widespread." This means that people should update their Microsoft systems immediately to avoid hacking.

The problem lies in Windows' mechanism for confirming the legitimacy of software or establishing secure web connections. If the verification check itself is not safe, attackers can exploit that fact to remotely distribute malware or intercept sensitive data.

The vulnerability and patch updates were first reported by independent journalist Brian Krebs, who said Microsoft provided its software fix to the military and key infrastructure companies ahead of Tuesday's public release.

According to Microsoft last Monday, it provides advanced versions of its updates to some users under a special testing program.

The NSA's decision to warn Microsoft rather than exploit the bug for intelligence purposes underscores the magnitude of the threat it could pose to businesses, consumers and government agencies worldwide.

According to Anne Neuberger, director of NSA's Cybersecurity Directorate, last Tuesday, organizations, and companies running Windows 10 should implement the patch immediately.

Microsoft has not found any evidence that the flaw has been actively exploited.

The security problem allows attackers to target users of unpatched Windows systems with malware that mimics the digital signature of a trusted provider.

Last Wednesday, researcher Saleem Rashid tweeted images of the video "Never Gonna Give You Up," by 1980s heart-throb Rick Astley, playing on Github.com and NSA.gov. Demonstrating security flaws, Rashid's exploit causes both the Edge and Chrome browsers to spoof the HTTPS verified websites of Github and the National Security Agency.

The flaw creates an impact on devices running the Windows 10 operating system, as well as the Windows Server 2016 and 2019 operating systems. Thus, attackers could create an exploit that creates fake security certificates, giving them a free pass to run malicious software on Windows devices while looking legitimate to the system.

According to independent journalist Brian Krebs, Microsoft provided its software fix to the military and key infrastructure companies ahead of Tuesday's public release.

The NSA said this marks the first time that it has come forward publicly to share vulnerability information with the private sector.