The National Security Agency alerted Microsoft in recent weeks to a significant issue affecting its Windows 10 operating system, ubiquitous within corporations and among consumers, two senior federal cybersecurity officials told CNBC.
The flaw affected encryption of digital signatures used to authenticate content, including software or files. If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe. The finding was reported earlier by The Washington Post.
"Patching like this, in general, should always be important, but the fact that the NSA is the one that disclosed this to Microsoft as well gave it some more importance," said Satnam Narang, a senior research engineer with cybersecurity company Tenable. Attackers often will steal security certificates in order to send a victim a malicious file that appears to be trustworthy, but with this flaw, the attacker can simply spoof the Microsoft certificate, making the process much easier, Narang said.
It is unclear how long the NSA knew about the flaw before reporting it to Microsoft. The cooperation, however, is a departure from past interactions between the NSA and major software developers such as Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal.
In a statement, Microsoft declined to confirm or offer further details. "We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available."
Jeff Jones, a senior director at Microsoft said in a statement Tuesday: "Customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible." Microsoft told CNBC that it had not seen any exploitation of the flaw "in the wild," which means outside a lab testing environment.
"I do want to stress that this information just dropped in the last hour, and it is still pretty fresh. So we are trying to fully grasp how this plays into the grand scheme of things," said Narang at Tenable, who wrote further about the flaw in a blog post today. "In the grand scheme of things, this is just another tool in the toolbox for attackers."