The US National Security Agency (NSA) has revealed a major flaw in Windows 10 that could have been used by hackers to create malicious software that looked legitimate.
Microsoft is expected to issue a patch later and to say that the bug has not been exploited by hackers.
The issue was revealed during an NSA press conference.
It was not clear how long it had known about it before revealing it to Microsoft.
Brian Krebs, the security expert who first reported the revelation, said the software giant had already sent the patch to branches of the US military and other high-level users. It was, he wrote, “extraordinarily scary”.
The problem exists in a core component of Windows known as crypt32.dll, a program that allows software developers to access various functions, such as digital certificates which are used to sign software.
It could, in theory, have allowed a hacker to pass off a piece of malicious software as being entirely legitimate.
The NSA’s director of cyber-security Anne Neuberger told reporters that the bug “makes trust vulnerable”.
It is also an issue in Windows Server 2016 but it is not yet known if it affects older versions of Windows. Microsoft is ending support for Windows 7 for consumers.
Prof Alan Woodward, a security expert based at Surrey University, said of the flaw: “It’s big because it affects the core cryptographic software used by Microsoft operating systems. Although there is no evidence that it has been exploited by hackers, it is a major threat as it lays users open to a range of attacks, so this is a case of don’t panic but apply the patch straightaway.”
“The concern is that as soon as the vulnerability is known about in detail, exploits will be produced and the laggards who don’t patch will be prime targets.”