Windows 10 users have been urged to update their PCs or risk having private messages read.

The huge vulnerability has been patched in an update but any computer that has not received the latest version of the operating system is at risk.

The bug was discovered by the National Security Agency which alerted Microsoft, rather than using it to spy on citizens.

Download the new Independent Premium app

Sharing the full story, not just the headlines

The company then fixed the bug for all of its users through the latest free update, part of its "Patch Tuesday" programme of regular fixes, which seals up the exploit and stops hackers from intercepting communications.

There is no indication that the exploit has been used by hackers, Microsoft said, in a note that gave credit to the NSA for finding it.

Amit Yoran, CEO of security firm Tenable, said it is "exceptionally rare if not unprecedented" for the U.S. government to share its discovery of such a critical vulnerability with a company.

Yoran, who was a founding director of the Department of Homeland Security's computer emergency readiness team, urged all organizations to prioritize patching their systems quickly.

An advisory sent by the NSA on Tuesday said "the consequences of not patching the vulnerability are severe and widespread."

Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.

"The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," the company said.

If successfully exploited, an attacker would have been able to conduct "man-in-the-middle attacks" and decrypt confidential information on user connections, the company said.

Some computers will get the fix automatically if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer's settings.

Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA's involvement. Microsoft and the NSA both declined to say when the agency notified the company.

The agency shared the vulnerability with Microsoft "quickly and responsibly," Neal Ziring, technical director of the NSA's cybersecurity directorate, said in a blog post Tuesday.

Priscilla Moriuchi, who retired from the NSA in 2017 after running its East Asia and Pacific operations, said this is a good example of the "constructive role" that the NSA can play in improving global information security. Moriuchi, now an analyst at the U.S. cybersecurity firm Recorded Future, said it's likely a reflection of changes made in 2017 to how the U.S. determines whether to disclose a major vulnerability or exploit it for intelligence purposes.

The revamping of what's known as the "Vulnerability Equities Process" put more emphasis on disclosing unpatched vulnerabilities whenever possible to protect core internet systems and the U.S. economy and general public.

Those changes happened after a group calling itself "Shadow Brokers" released a trove of high-level hacking tools stolen from the NSA.

Additional reporting by agencies

Comments

Share your thoughts and debate the big issues

Learn more
Please be respectful when making a comment and adhere to our Community Guidelines.
  • You may not agree with our views, or other users’, but please respond to them respectfully
  • Swearing, personal abuse, racism, sexism, homophobia and other discriminatory or inciteful language is not acceptable
  • Do not impersonate other users or reveal private information about third parties
  • We reserve the right to delete inappropriate posts and ban offending users without notification

You can find our Community Guidelines in full here.

Create a commenting name to join the debate

Please try again, the name must be unique Only letters and numbers accepted
Loading comments...
Loading comments...
Please be respectful when making a comment and adhere to our Community Guidelines.
  • You may not agree with our views, or other users’, but please respond to them respectfully
  • Swearing, personal abuse, racism, sexism, homophobia and other discriminatory or inciteful language is not acceptable
  • Do not impersonate other users or reveal private information about third parties
  • We reserve the right to delete inappropriate posts and ban offending users without notification

You can find our Community Guidelines in full here.

Loading comments...
Loading comments...