KEY POINTS

  • NSA reportedly notified Microsoft of the exploit within the last few weeks
  • The exploit would have made disguising malware in security certificates with fake signatures much easier for hackers
  • Cooperation is uncharacteristic as the NSA has reportedly kept these types of exploits secret from tech companies to use itself

Microsoft issued a new patch to the Windows 10 operating system on Tuesday after it was notified of a potential exploit in the system by the National Security Agency.

The NSA reportedly notified Microsoft in the last few weeks of the exploit, which could affect the encryption of digital signatures when authenticating files. The exploit would allow hackers to use fake signatures to disguise malicious software as safe.

Microsoft Senior Director Jeff Jones did assure customers in a statement Tuesday anyone that has automatic updates turned is “already protected” and encouraged anyone that didn’t to download the update “as soon as possible.”

Satnam Narang, a senior research engineer with cybersecurity firm Tenable, said hackers typically steal security certificates to disguise malware they would send to victims. However, the exploit would have made the process easier by allowing them to copy Microsoft’s security certificate.

“In the grand scheme of things, this is just another tool in the toolbox for attackers,” Narang said.

He also pointed out that the NSA notifying Microsoft of this kind of exploit is uncharacteristic for the government agency. It’s also unclear how long the NSA knew about the exploit before informing Microsoft of the exploit.

“Patching like this, in general, should always be important, but the fact that the NSA is the one that disclosed this to Microsoft as well gave it some more importance,” Narang said.

Microsoft issued a statement about the patch, though didn’t provide further details about the patch: “We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.”