The U.S. National Security Agency (NSA) discovered a serious flaw in Windows 10 that could have been used by hackers to create malicious software that seemed legitimate.
Microsoft has released a patch and has stated that it is now aware of the bug exploited by hackers.
The problem was revealed during an NSA press conference.
It was not clear how long he had known about it before revealing it to Microsoft.
Brian Krebs, the security expert who first reported the revelation, said the software giant had sent the patch to US military branches and other high-level users before its larger version. It was, he wrote, “extraordinarily frightening”.
The problem exists in a major Windows component known as crypt32.dll, a program that allows software developers to access various functions, such as the digital certificates used to sign the software.
In theory, it could have allowed a hacker to distribute completely legitimate malicious software.
NSA cybersecurity director Anne Neuberger told reporters that the bug “makes trust vulnerable.”
He added that the agency had decided to make public its involvement in the discovery at the request of Microsoft.
The flaw is also a problem in Windows Server 2016 and 2019, but it doesn’t seem to affect previous versions of the operating system.
Prof Alan Woodward, a security expert based at Surrey University, said of the flaw: “It is great because it affects the basic cryptographic software used by Microsoft operating systems. Although there is no evidence that it has been exploited by hackers, it’s a big threat as it opens up users to a variety of attacks, so this is a case of not panicking but apply the patch right away. “
“The concern is that as soon as the vulnerability is known in detail, exploits will be produced and the latecomers who won’t patch themselves will be the first targets.”