TECHNOLOGY

NSA finds major security flaw in Windows 10, free fix issued

Jan 15, 2020, 6:20 AM
windows hack...
FILE - This Aug. 7, 2017, file shows a Microsoft Widows sign on display at a store in Hialeah, Fla. The National Security Agency has discovered a major security flaw in Microsoft's Windows operating system. Microsoft says the NSA notified the company about it. A fix was made available Tuesday, Jan. 14, 2020. (AP Photo/Alan Diaz)
(AP Photo/Alan Diaz)

The National Security Agency has discovered a major security flaw in Microsoft’s Windows 10 operating system that could let hackers intercept seemingly secure communications.

But rather than exploit the flaw for its own intelligence needs, the NSA tipped off Microsoft so that it can fix the system for everyone.

Microsoft released a free software patch to fix the flaw Tuesday and credited the intelligence agency for discovering it. The company said it has not seen any evidence that hackers have used the technique.

Amit Yoran, CEO of security firm Tenable, said it is “exceptionally rare if not unprecedented” for the U.S. government to share its discovery of such a critical vulnerability with a company.

Yoran, who was a founding director of the Department of Homeland Security’s computer emergency readiness team, urged all organizations to prioritize patching their systems quickly.

An advisory sent by the NSA on Tuesday said “the consequences of not patching the vulnerability are severe and widespread.”

Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” the company said.

If successfully exploited, attackers would have been able to conduct “man-in-the-middle attacks” and decrypt confidential information they intercept on user connections, the company said.

“The biggest risk is to secure communications,” said Adam Meyers, vice president of intelligence for security firm CrowdStrike.

Some computers will get the fix automatically, if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer’s settings.

Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA’s involvement. Microsoft and the NSA both declined to say when the agency privately notified the company.

The agency shared the vulnerability with Microsoft “quickly and responsibly,” Neal Ziring, technical director of the NSA’s cybersecurity directorate, said in a blog post Tuesday.

Priscilla Moriuchi, who retired from the NSA in 2017 after running its East Asia and Pacific operations, said this is a good example of the “constructive role” that the NSA can play in improving global information security. Moriuchi, now an analyst at the U.S. cybersecurity firm Recorded Future, said it’s likely a reflection of changes made in 2017 to how the U.S. determines whether to disclose a major vulnerability or exploit it for intelligence purposes.

The revamping of what’s known as the “Vulnerability Equities Process” put more emphasis on disclosing vulnerabilities whenever possible to protect core internet systems and the U.S. economy and general public.

Those changes happened after a mysterious group calling itself the “Shadow Brokers” released a trove of high-level hacking tools stolen from the NSA, forcing companies including Microsoft to repair their systems. The U.S. believes that North Korea and Russia were able to capitalize on those stolen hacking tools to unleash devastating global cyberattacks.

Today’s Top Stories

Technology

The Air Force is set to unveil the newest stealth bomber aircraft on Dec. 2. Photo credit: Northrop...
Haley Britzky and Ellie Kaufman, CNN

Air Force unveils newest stealth bomber aircraft

The newest stealth bomber was unveiled on Friday in California.
6 days ago
space radio...
Elizabeth Weiler

USU making history with a radio entering the lunar orbit

LOGAN, Utah — Utah State University has successfully sent a radio, created by Utah State University’s Space Dynamics Laboratory into the orbit of earth’s moon.  The deep space radio is named Iris, after the Greek mythological goddess, daughter of Thaumas and Electra and messenger of the gods. The radio made its way into the orbit via a CubeSat […]
8 days ago
In this image provided by NASA, the Earth and its moon are seen from NASA's Orion spacecraft on Mon...
Jackie Wattles, CNN

NASA’s Orion reaches record-breaking distance from Earth

NASA confirmed that Orion had reached the midpoint of its uncrewed mission around the moon — about 270,000 miles (434,523 kilometers) from Earth.
9 days ago
Former US President Donald Trump's Twitter account has been reinstated on the platform....
Clare Duffy and Paul LeBlanc, CNN

Elon Musk restores Donald Trump’s Twitter account

Former US President Donald Trump's Twitter account has been reinstated on the platform.
19 days ago
With employees with the company, the future of Twitter is in uncertain. Photo credit: Justin Sulliv...
Oliver Darcy, CNN Business

Inside Twitter as ‘mass exodus’ of staffers throws platform’s future into uncertainty

With employees leaving the company, the future of Twitter is uncertain.
20 days ago
NASA's Space Launch System (SLS) rocket with the Orion spacecraft aboard is seen on Nov. 12 at NASA...
Jackie Wattles, CNN

Historic moon mission troubleshoots fuel leak issue hours before launch

The Artemis I mission to the moon could finally take place this week.
23 days ago

Sponsored Articles

Spicy Homemade Loaded Taters Tots...
Macey's

5 game day snacks for the whole family (with recipes!)

Try these game day snacks to make watching football at home with your family feel like a special occasion. 
Happy joyful smiling casual satisfied woman learning and communicates in sign language online using...
Sorenson

The best tools for Deaf and hard-of-hearing workplace success

Here are some of the best resources to make your workplace work better for Deaf and hard-of-hearing employees.
Team supporters celebrating at a tailgate party...
Macey's

8 Delicious Tailgate Foods That Require Zero Prep Work

In a hurry? These 8 tailgate foods take zero prep work, so you can fuel up and get back to what matters most: getting hyped for your favorite
christmas decorations candles in glass jars with fir on a old wooden table...
Western Nut Company

12 Mason Jar Gift Ideas for the 12 Days of Christmas [with recipes!]

There are so many clever mason jar gift ideas to give something thoughtful to your neighbors or friends. Read our 12 ideas to make your own!
wide shot of Bear Lake with a person on a stand up paddle board...

Pack your bags! Extended stays at Bear Lake await you

Work from here! Read our tips to prepare for your extended stay, whether at Bear Lake or somewhere else nearby.
young boy with hearing aid...
Sorenson

Accommodations for students who are deaf and hard of hearing

These different types of accommodations for students who are deaf and hard of hearing can help them succeed in school.
NSA finds major security flaw in Windows 10, free fix issued