Satya Nadella, chief executive officer of Microsoft Corp., pauses while speaking during a Microsoft product event in New York, U.S., on Wednesday, Oct. 2, 2019.
Mark Kauzlarich | Bloomberg | Getty Images
The National Security Agency alerted Microsoft in recent weeks to a significant issue affecting its Windows 10 operating system, ubiquitous within corporations and among consumers, two senior federal cybersecurity officials told CNBC.
The flaw affected encryption of digital signatures used to authenticate content, including software or files. If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe. The finding was reported earlier by The Washington Post.
It is unclear how long the NSA knew about the flaw before reporting it to Microsoft. The cooperation, however, is a departure from past interactions between the NSA and major software developers such as Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal.
In a statement, Microsoft declined to confirm or offer further details. “We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.”
Jeff Jones, a senior director at Microsoft said in a statement Tuesday: “Customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible.” Microsoft told CNBC that it had not seen any exploitation of the flaw “in the wild,” which means outside a lab testing environment.
Follow @CNBCtech on Twitter for the latest tech industry news.
