NSA reported a major Windows 10 security flaw the same day Windows 7 support ended

It's the first time Microsoft has credited the NSA with disclosing a vulnerability, according to a security expert.

Carrie Mihalcik Former Managing Editor / News

Carrie was a managing editor at CNET focused on breaking and trending news. She'd been reporting and editing for more than a decade, including at the National Journal and Current TV.

Expertise Breaking News, Technology Credentials

Carrie has lived on both coasts and can definitively say that Chesapeake Bay blue crabs are the best.

See full bio

Laura Hautala Former Senior Writer

Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.

Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials

2022 Eddie Award for a single article in consumer technology

See full bio

Carrie Mihalcik

Laura Hautala

Jan. 16, 2020 6:15 a.m. PT

3 min read

surface-laptop-3-15 — Microsoft issued a patch Tuesday for a major Windows flaw found by the NSA.
Ian Knighton/CNET

Instead of keeping a potential hacking resource to itself, the US National Security Agency alerted Microsoft to a serious security flaw in the Windows 10 operating system that could open computers to major breaches or surveillance. The NSA said the flaw is severe and that hackers will understand very quickly how to exploit it.

"The consequences of not patching the vulnerability are severe and widespread," the NSA said in an advisory Tuesday.

Translation: Update your Microsoft systems immediately to avoid hacking. (You can still get the free Windows 10 download, and the upgrade can be done easily in just a few steps.)

Microsoft issued a patch Tuesday for the flaw, which was earlier reported by The Washington Post. The flaw affects devices running the Windows 10 operating system, as well as the Windows Server 2016 and 2019 operating systems. Using the flaw, attackers could create an exploit that creates fake security certificates, giving them a free pass to run malicious software on Windows devices while looking legitimate to the system.

"The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft said in its description of the vulnerability.

In other words, if your computer's security systems are like a bouncer in front of a nightclub, a spoofed security certificate is like a fake ID for sneaky malware, said Tenable cybersecurity researcher Satnam Narang. With the spoofed certificate, he said, malware "can enter the club, so to speak."

Cybersecurity researchers also expressed concern Tuesday that the flaw could let attackers compromise communications secured with encryption as they travel from sender to recipient, something that relies on a protocol known as TLS. "If you are a developer of an app that's using TLS, I would also be thinking hard right now about the impact of this issue on your threat model," said Dmitri Alperovitch, CTO of cybersecurity firm Crowdstrike, on Twitter.

If you are a developer of an app that’s using TLS, I would also be thinking hard right now about the impact of this issue on your threat model https://t.co/WmSvlCqOAi
— Dmitri Alperovitch (@DAlperovitch) January 14, 2020

The company released this month's updates and technical information as part of its regular Update Tuesday. It's the first time Microsoft has credited the NSA for reporting a security flaw, according to security expert Brian Krebs.

The cooperation between the NSA and Microsoft is a promising development, said Michael Kaiser, former executive director of the National Cyber Security Alliance. As part of his work, Kaiser helped small- and medium-size businesses address cybersecurity, and he says the level of trust and sharing between businesses and government was very low 10 years ago. This could be a sign that things are improving.

"You can't make the world more secure unless you share these kinds of things," Kaiser said.

Microsoft said in its description of the vulnerability that it hasn't seen active exploitation of the flaw. The NSA has previously developed hacking tools using flaws in Microsoft systems, including an exploit called Eternal Blue. The NSA's exploit was stolen by hackers and used by criminals in a series of ransomware attacks that hit cities in the US and beyond.

News of Tuesday's security flaw came the same day that Microsoft ended support for Windows 7. Microsoft promised 10 years of product support for Windows 7 when it was released in October 2009, before shifting focus to supporting newer technologies. Windows 7 computers will keep working, but Microsoft won't provide security updates or fixes, or technical support for any issues. This leaves computers at greater risk from viruses and malware that may circulate to take advantage of any flaws that are later discovered.

Microsoft has encouraged people to upgrade to Windows 10 to keep their PCs and laptops secure.

Originally published Jan. 14.
Updates, Jan. 14: Adds comment from Microsoft and more background; includes confirmation from Microsoft that NSA reported the vulnerability; adds confirmation from NSA that it reported vulnerability; includes comment from Michael Kaiser; and adds information about the vulnerability and a quote from Satnam Narang. Jan. 16: Adds more background on the end of support for Windows 7.