In this 2010 photo, a display for Microsoft’s Windows 7 is shown at the National Retail Federation’s convention in New York. (AP Photo/Mark Lennihan, File)

In this 2010 photo, a display for Microsoft’s Windows 7 is shown at the National Retail Federation’s convention in New York. (AP Photo/Mark Lennihan, File)

NSA discovers security flaw in Windows, Microsoft issues fix

The software company said it has not seen any evidence of exploitation by hackers.

By Matt O’Brien / Associated Press

The National Security Agency has discovered a major security flaw in Microsoft’s Windows 10 operating system that could let hackers intercept seemingly secure communications.

But rather than exploit the flaw for its own intelligence needs, the NSA tipped off Microsoft so that it can fix the system for everyone.

Microsoft released a free software patch to fix the flaw Tuesday and credited the intelligence agency for discovering it. The company said it has not seen any evidence that hackers have used the technique.

Amit Yoran, CEO of security firm Tenable, said it is “exceptionally rare if not unprecedented” for the U.S. government to share its discovery of such a critical vulnerability with a company.

Yoran, who was a founding director of the Department of Homeland Security’s computer emergency readiness team, urged all organizations to prioritize patching their systems quickly.

An advisory sent by the NSA on Tuesday said “the consequences of not patching the vulnerability are severe and widespread.”

Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” the company said.

If successfully exploited, an attacker would have been able to conduct “man-in-the-middle attacks” and decrypt confidential information it intercepts on user connections, the company said.

Some computers will get the fix automatically, if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer’s settings.

Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA’s involvement. Microsoft and the NSA both declined to say when the agency privately notified the company.

The agency shared the vulnerability with Microsoft “quickly and responsibly,” Neal Ziring, technical director of the NSA’s cybersecurity directorate, said in a blog post Tuesday.

Priscilla Moriuchi, who retired from the NSA in 2017 after running its East Asia and Pacific operations, said this is a good example of the “constructive role” that the NSA can play in improving global information security. Moriuchi, now an analyst at the U.S. cybersecurity firm Recorded Future, said it’s likely a reflection of changes made in 2017 to how the U.S. determines whether to disclose a major vulnerability or exploit it for intelligence purposes.

The revamping of what’s known as the “Vulnerability Equities Process” put more emphasis on disclosing vulnerabilities whenever possible to protect core internet systems and the U.S. economy and general public.

Those changes happened after a mysterious group calling itself the “Shadow Brokers” released a trove of high-level hacking tools stolen from the NSA, forcing companies including Microsoft to repair their systems. The U.S. believes that North Korea and Russia were able to capitalize on those stolen hacking tools to unleash devastating global cyberattacks.

More in Herald Business Journal

At last, big new Boeing 777X takes flight from Paine Field

The plane flew for the first time Saturday. “All flight controls are good, very solid,” one of the pilots reported.

Concerns, questions delay Everett Station Improvement Area

The Everett Station District Alliance disputed criticism and was confident it had enough support.

Where is the sharing economy taking us?

Privacy and its exchange transactions represent a daunting set of problems for economic theory.

Protesters fear rising costs if firm buys dot-org universe

The registry operators say those concerns are misplaced and the sale is being misunderstood.

Boeing mulls another cut to 787 output in new threat to cash

The planemaker is grappling with low sales for wide-body aircraft in a market glutted with used models.

8 ways the 737 Max is still walloping American and Southwest

Planes are more full than ever due to a shortage of them.

Livestream here: Boeing will try to fly the 777X at 1o a.m.

The plane sat on the runway 3 hours through rain and wind before aborting its planned Friday flight.

Seattle commuters fume at cost of Uber, Lyft after shooting

A block was taped off, and buses in the area were rerouted and far behind schedule during rush hour.

Grounded Boeing jet holds back profits, growth at airlines

American Airlines said it canceled 10,000 flights in the fourth quarter because of the idled planes.

777X first flight rescheduled for Friday, weather permitting

The test flight is scheduled for 10 a.m., but that “is an estimate and delays can occur.”

Utilities commission sets public hearing on sale of Frontier

Pending government approvals, the broadband company is to be acquired by WaveDivision Capital.

Boeing’s new CEO sees 737 Max production resuming in spring

David Calhoun believes passengers will fly on the plane when they see pilots getting on board.