Patch Tuesday January: fix extraordinarily serious security vulnerability

Today’s patch Tuesday will patch a extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. It was found by the NSA and reported to Microsoft because it ‘makes trust vulnerable’. It could compromise “encrypting and decrypting data using digital certificates” amongst other things.

This is a huge security flaw that, unpatched, had the potential to undermine the trust fabric of the world of the web and computers. Microsoft states it has not seen active exploitation of the vulnerability.

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an [b]extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows[/b]. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

The article further suggests that the flaw was found by the NSA and reported to Microsoft because compromised cryptographic component makes trust vulnerable:

The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.

According to the NSA, the problem exists in Windows 10 and Windows Server 2016. Asked why the NSA was focusing on this particular vulnerability, bNeuberger said the concern was that it “makes trust vulnerable.” The agency declined to say when it discovered the flaw, and that it would wait until Microsoft releases a patch for it later today before discussing further details of the vulnerability.

Article on Krebsonsecurity

Thanks Eric - applied to a couple and nothing blew apart :o

(Up to Build 592)

Updated and running smooth on 6882

Hi EricJH,

Thank you for sharing those info :-TU. Kindly all update your PC.