Explained: Microsoft’s latest patch for millions of Windows users after NSA tip-off

The US' National Security Agency (NSA) said it had discovered a critical security flaw in Microsoft's Windows operating system. The flaw could have allowed cyber criminals to access users' private information or conduct surveillance. Microsoft said it had already released an update to fix the flaw.

What was the security flaw?

The security exploit was discovered in one of its oldest Windows cryptographic component known as "CryptoAPI."

"An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," said Microsoft on its website.

The company said a successful exploit could have also allowed a hacker to launch "man-in-the-middle" attacks and even gain capabilities to decrypt private data on users' connections.

The NSA role

The NSA said it informed Microsoft shortly after the security flaw was discovered. The agency also ensured the company had enough time to release a fix.

The public disclosure of NSA's action on Windows' security exploit is seen as a big change in how the security agency handles such loopholes which otherwise could have allowed it a back-door entry.

The agency used an exploit called "EternalBlue" to conduct surveillance. The tool, however, landed up in hands of cybercriminals who launched global attacks such as NotPetya and WannaCry.

"This is . . . a change in approach . . . by NSA of working to share, working to lean forward and then working to really share the data as part of building trust," Anne Neuberger, director of the NSA's Cybersecurity Directorate told WashingtonPost. "As soon as we learned about [the flaw], we turned it over to Microsoft."

It is worth noting that Apple is currently engaged in another battle with the US authorities over giving an access to the Pensacola shooter's iPhones - similar to the tussle between the two over a shooting case in San Bernardino 2016.

"I do think backdoors are a terrible idea, that is not the way to go about this. We've always said we care about these two things: privacy and public safety. We need some legal and technical solution in our democracy to have both of those be priorities," Microsoft CEO Satya Nadella said earlier this week.

Should you be worried?

Microsoft said it had found no evidence to show that the bug was exploited by cyber criminals. Users, however, are recommended to update their Windows systems at the earliest.

"A security update was released on January 14, 2020 and customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible," Jeff Jones, senior director at Microsoft is quoted as saying.