Where did the NSA find a cybersecurity vulnerability?

Microsoft released a security patch on Tuesday to a vulnerability that it says was initially discovered by the National Security Agency (NSA). TechCrunch reports that the NSA confirmed that it found the bug and decided to turn it over to Microsoft, rather than using it for offensive security operations. This is a practice that it was criticized for doing when it discovered a different flaw about two years ago.

The vulnerability lies in CryptoAPI, a cryptographic component of Windows created decades ago that is used in Windows 10 and Windows Server 2016. More specifically, it lies in the part of that component that allows software developers to put their official signature on their product, alerting users that it is legitimate. When exploited, the bug allows a hacker to fake that legitimate signature on a piece of malware rather than trusted software.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said.