Microsoft is expected to release a major software update on Tuesday, January 14 that will fix an "extraordinarily serious security vulnerability" affecting a core cryptographic component found in all versions of Windows. This will be the first Patch Tuesday release of 2020 from Microsoft.
January 14 is also the day that Microsoft will end support for Windows 7.
As reported by KrebsOnSecurity, Microsoft has already rolled out a patch to fix the bug for the U.S. military and other important high-profile clients and customers. These clients have been asked to sign agreements preventing them from disclosing details of the flaw on or before January 14, 2020.
The flaw is found in the crypt32.dll system file which handles "certificate and cryptographic messaging functions in the CryptoAPI." It is also used by the Microsoft CryptoAPI that is used for securing cryptography applications and encrypting/decrypting digital certificates. This component is used by key Microsoft apps like Internet Explorer and Edge to securely handle sensitive data.
A flaw in the crypt32.dll can be used to spoof digital signatures which can be used by attackers to make malware appear a safe and genuine app on your PC.
The report also states that the NSA's Director of Cybersecurity Anne Neuberger is scheduled to host a press conference on January 14 where he will "provide advanced notification of a current cybersecurity issue."
Microsoft on its part has already issued a statement saying that it does not discuss any vulnerabilities before rolling out a fix for them. It also made it clear that it does not roll out production-ready updates before its regular Update Tuesday schedule.
21 Comments - Add comment