Associated Press
- The National Security Agency has detected a "severe" security flaw in the Microsoft Windows 10 operating system, the agency announced Tuesday.
- Microsoft acknowledged the flaw and rolled out a security update Tuesday afternoon.
- The flaw hasn't been actively exploited, as far as Microsoft can tell, but all Windows users are urged to install the software update as soon as possible.
- The NSA first reported the flaw to Microsoft after detecting it - it's exceedingly rare for government agencies to share their discovery of vulnerabilities with a private company, an expert says.
- Visit Business Insider's homepage for more stories.
The National Security Agency is urging all Windows 10 users to update their software after detecting a "severe" security flaw in the operating system, the agency announced Tuesday.
The NSA first detected the flaw and alerted Microsoft, prominent security researcher Brian Krebs first reported. NSA Director of Cybersecurity Anne Neuberger confirmed that the agency told Microsoft about the flaw in a call with reporters Tuesday morning.
Microsoft confirmed the flaw and rolled out a patch update for Windows 10, as well as Windows Server 2016 and Windows Server 2019, on Tuesday afternoon. Microsoft hasn't found any evidence that the flaw has been actively exploited, but urged all Windows users to install the latest update.
The security flaw allows attackers to target users of unpatched Windows systems with malware that mimics the digital signature of a trusted provider. If people downloaded the malicious file, hackers could access "confidential information" stored on their computers, according to Microsoft.
It's exceedingly rare for a federal agency to tell a company about a cybersecurity flaw - according to Neuberger, this is the first time the NSA disclosed a vulnerability to Microsoft.
In an email to Business Insider, Amit Yoran, founding director of the Department of Homeland Security's US Computer Emergency Readiness Team and CEO of Tenable, underscored how unusual this disclosure is.
"For the US government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented," Yoran said. "These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to."