Microsoft patched a major bug in its Windows 10 operating system after the US National Security Agency (NSA) revealed the flaw, which could have enabled hackers to create software which appeared to be from legitimate sources.

The technology giant said in a statement there was no evidence the vulnerability was exploited, and it was capable of detecting and blocking any attempts to do so.

In a related statement, the NSA explained the flaw could have been “exploited to undermine Public Key Infrastructure”, a set of mechanisms web users “rely on in a wide variety of ways”. In this case, the agency said attackers could have forged certificates enabling them to “gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them”, albeit only under “certain conditions”.

Around 900 million devices including desktop and laptop PCs, smartphones and the Xbox One games console run the Windows 10 operating system or variants thereof.

Microsoft senior director Jeff Jones said a security update was released on 14 January and “customers who have already applied the update, or have automatic updates enabled, are already protected”.

The NSA urged Windows 10 users to immediately install the latest Microsoft patches, warning “the consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available”.