Industry Rumors Suggest Big Patch Coming Today to Fix a Critical Flaw in Microsoft’s Operating Systems – Military’s Already Received the Fix
First Patch Tuesday updates for 2020 are scheduled for today, and it appears some "extraordinarily serious security vulnerability" is going to be addressed. Today was already an important day for patches since these will be the last updates being shipped for Windows 7. However, things are getting more serious as reports suggest Microsoft has already shipped bug fixes to the US military and other high-value customers and targets managing Internet infrastructure.
While there is no confirmation from the Redmond software maker at this point and we are waiting for the patches to drop to hopefully get more details, industry insiders suggest that the vulnerability resides in the Windows component crypt32.dll. This module, according to Microsoft, handles "certificate and cryptographic messaging functions in the CryptoAPI," the API that enables developers to secure apps.
The hints first started with a tweet by Will Dormann, a security researcher who is behind several vulnerability reports for the CERT Coordination Center (CERT-CC). He said that "people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner."
I get the impression that people should perhaps pay very close attention to installing tomorrow's Microsoft Patch Tuesday updates in a timely manner. Even more so than others.
I don't know... just call it a hunch?
— Will Dormann (@wdormann) January 13, 2020
Several users confirmed receiving notifications from federal agency employers to "must perform updates," further confirming that this is going to be some serious flaw.
We got a strangely crypic notice from the fed management about this as well.
— Commander Apaul (@CommanderApaul) January 14, 2020
KrebsonSecurity then reported that the National Security Agency (NSA)'s Director of Cybersecurity Anne Neuberger has said that the agency reported a vulnerability to Microsoft. This would apparently be the first time Microsoft would credit the NSA for reporting a security flaw. "Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet," the publication added.
The agency didn't give any specific details of the issue.
As for Microsoft, the company has only given the following statement without saying anything about the bug itself:
Through our Security Update Validation Program (SUVP), we release advance versions of our updates for the purpose of validation and interoperability testing in lab environments. Participants in this program are contractually disallowed from applying the fix to any system outside of this purpose and may not apply it to production infrastructure.
While we await the details, if these reports are true, a vulnerability in crypt32.dll could result in several critical issues, including the ability for attackers to spoof digital signatures making malware appear like a legit program. Krebs adds that the vulnerability could impact every Windows system introduced in the last 20 years, including the unsupported Windows XP. But, before we fall into this trap of "update, update, patch," let's wait for the details from Microsoft to see how serious this flaw actually is.
As a reminder, today's will be the last patches being delivered to Windows 7; it would be prudent to upgrade to Windows 10 (free offer still valid) especially if your Windows 7 machine is connected to the internet, where these kind of old flaws will result in massive headaches in the future.