The National Security Agency (NSA) found and notified Microsoft of what it called a serious vulnerability in the company’s Windows 10 operating system that could potentially expose computer users to significant breaches, surveillance or disruption, officials announced Tuesday.
The public disclosure is unlike the NSA’s usual approach of using such flaws to build hacking tools that allow the agency to spy on adversaries’ networks, according to The Washington Post. Rather, officials released a fix.
“This is … a change in approach … by NSA of working to share, working to lean forward, and then working to really share the data as part of building trust,” Anne Neuberger, director of the NSA’s Cybersecurity Directorate, which was launched in October, told the Post.
The NSA discovered an error in the Microsoft code that verifies digital signatures, which could enable a hacker to forge the signature and breach a computer.
“The patch is the only comprehensive means to mitigate the risk,” the NSA’s statement read. “While means exist to detect or prevent some forms of exploitation, none of them are complete or fully reliable.”
Microsoft said it addressed the flaw promptly and released a security update Tuesday. Customers who have already applied the update, or have automatic updates enabled, should be protected.
Microsoft told the Post that it has seen no active exploitation of the flaw.