Microsoft Corp has rolled out an important security fix for its Windows operating system after the US National Security Agency tipped off the company to a serious flaw, officials said.

Key points: Microsoft and the NSA say there is no evidence the flaw has been exploited

Microsoft and the NSA say there is no evidence the flaw has been exploited Windows users are being told to implement the patch immediately

Windows users are being told to implement the patch immediately Experts say the NSA's decision to share this information is unprecedented

Microsoft said the flaw could allow a hacker to forge digital certificates used by some versions of Windows to authenticate and secure data. Exploiting the flaw could have potentially serious consequences for Windows systems and users.

NSA official Anne Neuberger noted that operators of classified networks had already been prodded to install the update and everyone else should now "expedite the implementation of the patch."

The Microsoft patch marks the first time the NSA has publicly claimed credit for prompting a software security update, although the agency said it has alerted companies in the past to flaws in their products.

Ms Neuberger said the agency was striving for more transparency with the information security research community.

"Part of building trust is showing the data," she told reporters minutes before the patch went live.

The NSA and Microsoft said they had not seen any evidence that the flaw had previously been abused, but both urged Windows users to deploy the update as soon as possible.

How do you fix it?

Microsoft released a free software patch to fix the flaw on Tuesday (US time).

Some computers will get the patch automatically, if they have the automatic update option turned on.

Others can get it manually by going to Windows Update in their computer's settings.

An advisory sent by the NSA on Tuesday said "the consequences of not patching the vulnerability are severe and widespread."

Microsoft said an attacker could use the exploit to decrypt confidential information they intercept on user connections.

"The biggest risk is to secure communications," said Adam Meyers, vice president of intelligence for security firm CrowdStrike.

NSA faces a balancing act

The 2017 Wannacry attack, which affected computers globally, was based on an exploit developed by the NSA. ( Associated Press )

Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA's involvement.

Microsoft and the NSA both declined to say when the agency privately notified the company.

Experts said the move was unprecedented.

"I have never seen this before," said Tenable chief executive Amit Yoran, who previously served as founding director of the US Computer Emergency Readiness Team.

"I cannot think of a single instance where government shared a zero-day with a vendor and took credit for it," he said in an email.

A zero-day vulnerability is an issue with a piece of software that the vendor is not aware of — and the NSA faces a balancing act when it comes across such vulnerabilities.

The agency had been criticised after its cyberspies took advantage of vulnerabilities in Microsoft products to deploy hacking tools against adversaries and kept the Redmond, Washington-based company in the dark about it for years.

When one such tool was dramatically leaked to the internet in 2017, it was deployed against targets around the globe by hackers of all stripes.

In the most dramatic case, a group used the tool to unleash a massive malware outbreak dubbed WannaCry in 2017.

The data-wiping worm wrought global havoc, affecting what Europol estimated was some 200,000 computers in more than 150 countries.

Ms Neuberger did not directly address that controversy in her call, but said that the NSA hoped to be "a good cybersecurity partner".

Reuters/AP