Microsoft patched a severe flaw in Windows 10 after the National Security Agency released a warning urging the company to fix the potentially damaging vulnerability.
If your PC runs Windows 10 then you need to download the latest update (released Tuesday, Jan 14) as soon as possible.
The flaw was found in a function of Windows 10 that verifies cryptographic trust. Called Microsoft CryptoAPI, the service lets developers secure their apps by using cryptography, or encrypting and decrypting data with digital certificates.
We won't dig too deep into the technical details (you can read the NSA's notice for more details) but the bottom line is that attackers could spoof a code-signing certificate to sign a malicious executable and make it look like legitimate software.
Once you've downloaded the malicious executable, the gates are open for the attacker to do as they please with your system and the sensitive data inside of it. Attackers would have the freedom to download ransomware or spyware onto your system, or run a program that extracts files from your device. To make matters worse, even the best antivirus software wouldn't detect the dangerous software because it's disguised with a legitimate digital signature.
"The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider," Microsoft wrote in its own notice. "A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software."
Security researcher Brian Krebs dissected the flaw, describing it as "an extraordinarily serious security vulnerability." He notes that the cryptography component was added to Windows more than 20 years ago and that this is the first time Microsoft will credit the NSA for finding a security flaw.
What you can do to protect your PC now
It's crucial that you update your Windows 10 PC as soon as possible, especially if you're a government employee with access to sensitive data. Microsoft already released patches for Windows 10 and is currently patching Windows Server 2016 and Windows Server 2019.
"The consequences of not patching the vulnerability are severe and widespread," the National Security Agency wrote in its advisory. "Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners."
If there's a silver lining, it's that Windows 7 (which just reached its end of life) and Windows 8 are not affected by the vulnerability. Microsoft also says that there haven't been any exploits in the wild, which is why the issue is classified as "important" instead of "critical."
Still, we recommend updating your system from Windows 7 to Windows 10 to continue receiving patches for any other potential security flaws. You can follow this guide for instructions on how to update your system to Windows 10 for free.