Windows 10 users have been asked to update their PCs or risk reading private messages.
The huge vulnerability has been fixed in an update, but any computer that has not received the latest version of the operating system is at risk.
The bug was discovered by the National Security Agency that warned Microsoft rather than using it to spy on citizens.
Download the new Independent Premium app
Share the whole story, not just the headlines
The company then corrected the bug for all of its users via the latest free update, part of its “Patch Tuesday” regular fixes program, which seals the exploit and prevents hackers from intercepting communications.
There is no indication that the exploit was used by hackers, Microsoft said in a statement that gave credit to the NSA for finding it.
Amit Yoran, CEO of security firm Tenable, said it is “exceptionally rare if not unprecedented” for the United States government to share its discovery of such a critical vulnerability with a company.
Yoran, who was a founding director of the National Security Department’s IT emergency response team, urged all organizations to prioritize patches for their systems quickly.
An advisory sent by the NSA on Tuesday said that “the consequences of not correcting the vulnerability are serious and widespread.”
Microsoft has claimed that an attacker could exploit the vulnerability by falsifying a code signing certificate so that a file appears to be from a trusted source.
“The user would have no way of knowing that the file was malicious, as the digital signature appeared to come from a trusted provider,” said the company.
If successfully exploited, an attacker would have been able to conduct “man-in-the-middle attacks” and decipher confidential information about user connections.
Some computers will automatically receive the fix if the automatic update option is turned on. Others can get it manually by logging into Windows Update in their computer settings.
Microsoft typically releases security updates and other updates once a month and waits until Tuesday to reveal the flaw and NSA involvement. Microsoft and the NSA both refused to say when the agency notified the company.
The agency shared the vulnerability with Microsoft “quickly and responsibly,” said Neal Ziring, technical director of the NSA’s directorate for cybersecurity, on Tuesday.
Priscilla Moriuchi, who retired from the NSA in 2017 after managing her operations in East Asia and the Pacific, said this is a good example of the “constructive role” that the NSA can play in improving global security. information. Moriuchi, now an analyst at the U.S. cybersecurity company Recorded Future, said it is likely a reflection of the changes made in 2017 to how the U.S. determines whether to disclose a major vulnerability or exploit it for intelligence purposes.
The renewal of what is known as the “Action Vulnerability Process” places greater emphasis on disclosing vulnerabilities without patches whenever possible to protect the major Internet systems, the economy and the public in the United States.
These changes came after a group that called itself “Shadow Brokers” released a series of high-level hacking tools stolen by the NSA.
Additional reporting by agencies