TECHNOLOGY

NSA finds major security flaw in Windows 10, free fix issued

Jan 15, 2020, 6:20 AM
windows hack...
FILE - This Aug. 7, 2017, file shows a Microsoft Widows sign on display at a store in Hialeah, Fla. The National Security Agency has discovered a major security flaw in Microsoft's Windows operating system. Microsoft says the NSA notified the company about it. A fix was made available Tuesday, Jan. 14, 2020. (AP Photo/Alan Diaz)
(AP Photo/Alan Diaz)

The National Security Agency has discovered a major security flaw in Microsoft’s Windows 10 operating system that could let hackers intercept seemingly secure communications.

But rather than exploit the flaw for its own intelligence needs, the NSA tipped off Microsoft so that it can fix the system for everyone.

Microsoft released a free software patch to fix the flaw Tuesday and credited the intelligence agency for discovering it. The company said it has not seen any evidence that hackers have used the technique.

Amit Yoran, CEO of security firm Tenable, said it is “exceptionally rare if not unprecedented” for the U.S. government to share its discovery of such a critical vulnerability with a company.

Yoran, who was a founding director of the Department of Homeland Security’s computer emergency readiness team, urged all organizations to prioritize patching their systems quickly.

An advisory sent by the NSA on Tuesday said “the consequences of not patching the vulnerability are severe and widespread.”

Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” the company said.

If successfully exploited, attackers would have been able to conduct “man-in-the-middle attacks” and decrypt confidential information they intercept on user connections, the company said.

“The biggest risk is to secure communications,” said Adam Meyers, vice president of intelligence for security firm CrowdStrike.

Some computers will get the fix automatically, if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer’s settings.

Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA’s involvement. Microsoft and the NSA both declined to say when the agency privately notified the company.

The agency shared the vulnerability with Microsoft “quickly and responsibly,” Neal Ziring, technical director of the NSA’s cybersecurity directorate, said in a blog post Tuesday.

Priscilla Moriuchi, who retired from the NSA in 2017 after running its East Asia and Pacific operations, said this is a good example of the “constructive role” that the NSA can play in improving global information security. Moriuchi, now an analyst at the U.S. cybersecurity firm Recorded Future, said it’s likely a reflection of changes made in 2017 to how the U.S. determines whether to disclose a major vulnerability or exploit it for intelligence purposes.

The revamping of what’s known as the “Vulnerability Equities Process” put more emphasis on disclosing vulnerabilities whenever possible to protect core internet systems and the U.S. economy and general public.

Those changes happened after a mysterious group calling itself the “Shadow Brokers” released a trove of high-level hacking tools stolen from the NSA, forcing companies including Microsoft to repair their systems. The U.S. believes that North Korea and Russia were able to capitalize on those stolen hacking tools to unleash devastating global cyberattacks.

Today’s Top Stories

Technology

FILE - This Friday, Feb. 16, 2018, file photo shows application icons from left, Facebook, Facebook...
Curt Gresseth

Expert gives tips on conquering your downward social media scroll

Are you addicted to the social-media scroll? An expert weighs in on what you can do to slow the scroll.
7 days ago
FILE - A Tesla owner charges his vehicle at a charging station in Topeka, Kan., Monday, April 5, 20...
TOM KRISHER AP Auto Writer

US report: nearly 400 crashes of automated tech vehicles

However, the National Highway Traffic Safety Administration cautioned against using the numbers to compare automakers,
21 days ago
Iran digital intrusion...
Curt Gresseth

Don’t get hacked. Protect your online data by being cyber-ready.

A cyber-security says defend yourself against hackers by being cyber-ready.
2 months ago
The gold star on your license will be needed if you want to fly in the next year....
Dan Bammes

Your driver’s license needs this if you want to fly in the next year

The gold star on your driver's license will be needed for anyone 18 and older. Most people have been getting them as they've renewed their licenses over the past four or so years.
2 months ago
FILE - The Twitter splash page is seen on a digital device, Monday, April 25, 2022, in San Diego. E...
KELVIN CHAN AP Business Writer

Musk’s Twitter ambitions to collide with Europe’s tech rules

Europe's Digital Services Act requires big tech companies to police their platforms more strictly or face billions in fines.
2 months ago
secondary water davis weber...
Chandler Holt

WSU achieves water conservation goals four years early

Over 5 years ago, Weber State University set a water conservation goal to reduce campus water usage by 30% by 2025, a goal they achieved in 2021.
3 months ago

Sponsored Articles

Tax Harassment...
Jordan Wilcox

The best strategies for dealing with IRS tax harassment | You have options!

Learn how to deal with IRS tax harassment. This guide will teach you how to stop IRS phone calls and letters, and how to handle an IRS audit.
spend a day at Bear Lake...
Bear Lake Convention and Visitors Bureau

You’ll love spending the day at Bear Lake | How to spend a day at Bear Lake

Bear Lake is a place that needs to be experienced. Spend a day at Bear Lake.
Curb Appeal...
Price's Guaranteed Doors

How to have the best of both worlds for your house | Home security and curb appeal

Protect your home and improve its curb appeal with the latest security solutions like beautiful garage doors and increased security systems.
Prescription opioids can be disposed of during National Prescription Take Back Day...
Know Your Script

Prescription opioid misuse | How to protect your family from the opioid epidemic

Studies have shown that prescription opioid misuse has increased since COVID-19. So what do you need to know about these opioids?
national heart month...
Intermountain Healthcare

National Heart Month: 5 Lifestyle Changes to Make Today to Keep You Heart Healthy

Heart disease is the leading cause of death for both men and women. One person dies every 36 seconds in the United States from cardiovascular disease
Joseph Smith Memorial Building...
Temple Square

The Joseph Smith Memorial Building is an icon of Salt Lake City | Why hosting an event at this beautiful location will make you a hero this year

Here's why hosting an event at the iconic Joseph Smith Memorial Building in downtown Salt Lake City will make you a hero this year.
NSA finds major security flaw in Windows 10, free fix issued