The National Security Agency disclosed that it has identified a “critical vulnerability” (CVE-2020-0601) in Microsoft Windows 10, however neither the agency nor Microsoft has, to date, seen exploitation of the flaw, which affects millions of computers.
But rather than exploit the flaw for its own intelligence needs, the NSA tipped off Microsoft so that it can fix the system for everyone.
The NSA issued a cybersecurity advisory on Tuesday, calling the flaw “severe” and said that “sophisticated cyber actors will understand the underlying flaw very quickly and the consequences of not patching the vulnerability are severe and widespread”.
Microsoft released details about the vulnerability, which could allow an attacker to use a spoofed code-signing certificate to sign malicious software. This would allow the malware to appear to be from a trusted source and could make detection significantly more difficult.
This vulnerability affects Windows 10, and while it has not yet been exploited in the wild, it may be only a matter of time before someone looks to take advantage of unpatched systems.
How to Patch Windows 10?
Microsoft released a software patch to fix the flaw and credited the NSA for discovering it. The company said it has not seen any evidence that hackers have used the technique.
- If you have Windows 10 Automatic Updates enabled by default, your system will attempt to install the updates when they are downloaded, likely over the next several days.
- If you want to run your Windows Update manually to get the patch more quickly, follow these instructions from Microsoft and click the “Check for Windows updates” button.
- Alternatively, click the Start button, select Settings, then Update & Security, then Windows Update, and click Check for updates to run Windows Update manually.