The NSA Discovered a Major Windows 10 Vulnerability

And then shared it with Microsoft

What: The NSA found a code signing bug in Windows 10, which could’ve exposed millions of users to potential malware. Instead of weaponizing it—as it’s done in the past—the NSA quickly clued in Microsoft, which apparently plans to patch the bug shortly.

How: Security agencies are always looking for software holes that that can exploit and use, potentially to spy on adversaries. This time, they stumbled on one with big consumer implications.

Why Do You Care: Even though you can do a lot to protect yourself from phishing attacks and other malware, this kind of Windows 10 bug would’ve been impossible to detect and equally hard to protect against. The NSA did us all a favor.

The latest and most popular version of Windows 10 has a critical flaw that could expose millions of users to malware, but it’s already been identified and may be patched by the time you read this, according to a report in The Washington Post. The unexpected White Knight? The National Security Agency (NSA).

According to the report, the NSA discovered a flaw in code verification, which basically ensures that software you’re installing on a PC is legitimate, that could have allowed hackers to drop counterfeit software on unsuspecting Windows 10 users. Such software could have opened millions to a variety of privacy and security breaches.

Getty Images

The NSA is not known for sharing such vulnerabilities and has in the past been blamed for mishandling cybersecurity secrets. In fact, some blame the WannaCry ransomware outbreak on the agency, even though it did not create the malware. Instead, the NSA had a different piece of attackware that somehow slipped out of its control and was then used by hackers to develop WannaCry.

Perhaps seeking to avoid a similar misstep, the NSA apparently proactively shared its Windows 10 vulnerability findings with Microsoft and, as a result, over a billion Windows 10 users around the world are about to become a little bit more cybersecure.

[The Washington Post]