Microsoft will release January’s Patch Tuesday round of updates late on 14th January
Microsoft is planning to fix a major security flaw in all versions of Windows in January’s Patch Tuesday round of updates.
Users have been urged to patch straightaway or risk falling victim to exploits that are expected to appear shortly after details of the security flaw are published.
That’s according to KrebsOnSecurity, who claims that an “extraordinarily serious” security flaw has been uncovered in the crypt32.dll file, used to handle core cryptographic functions in Windows’ CryptoAPI.
The main function of Microsoft CryptoAPI is to provide services for encrypting and decrypting data using digital certificates.
The flaw, according to KrebsOnSecurity, could seriously impact proper authentication on Windows desktops and servers and the security of data handled by Microsoft’s browsers. It could also enable attackers to spoof the digital signature of software programmes and allow them to install a malicious programme – appearing to be legitimate software – on vulnerable systems.
Microsoft rolled out the CryptoAPI module into Windows nearly 20 years ago, which means almost all versions of Windows OS are likely affected by the bug.
Krebs said that its sources also revealed that Microsoft has already provided the patch for the vulnerability to the US military as well as some other high-value organisations under strict secrecy.
Those organisations were asked to sign agreements that prevented them from revealing details of the bug prior to 14th January 2020.
In a tweet posted on Monday, cyber security expert Will Dormann – who works at the Computer Emergency Response Team Coordination Centre (CERT/CC) in Pittsburgh – also gave a hint about the patch coming from Microsoft to fix the bug.
“I get the impression that people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others,” Dormann said.
I get the impression that people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others.
I don’t know… just call it a hunch?
— Will Dormann (@wdormann) January 13, 2020
If report is true, potentially millions of Windows users could be exposed to malware attacks. Moreover, the patch for the critical bug comes on the day when the 10-year-old Windows 7 OS officially reaches end-of-life.
KrebsOnSecurity says Anne Neuberger, the Director of Cybersecurity at the US National Security Agency (NSA) is also expected to host a conference call on 14th January to provide details about a current NSA cyber security issue.
In a statement to KrebsOnSecurity, Microsoft said: “Through our Security Update Validation Program (SUVP), we release advance versions of our updates for the purpose of validation and interoperability testing in lab environments.”
“Participants in this program are contractually disallowed from applying the fix to any system outside of this purpose and may not apply it to production infrastructure.”