From the researcher Brian Krebs the warning about the probable imminent debut of an update intended for all versions of Windows, packaged by Microsoft to remedy one serious vulnerability encountered in a component of the operating system that deals with cryptography. It's about crypt32.dll, a module that administers "the certificates and functions related to CryptoAPI" so as to allow developers to encrypt the data processed by the software produced.
Windows: vulnerability in crypt32.dll, patch coming soon
According to the leaked information, the Redmond group has already distributed the update to some special customers like the U.S. military and organizations that manage the Internet infrastructure. They were asked to sign a confidentiality agreement so as not to disclose details about it until today, Tuesday 14 January 2020, the first Patch Tuesday of the year. The first to talk about it was Will Dormann of the CERT Coordination Center with the tweet attached below which refers to the need to install the update as soon as it is available.
I get the impression that people should perhaps pay very close attention to installing tomorrow's Microsoft Patch Tuesday updates in a timely manner. Even more so than others.
I don't know … just call it a hunch?
_ (ツ) _ / ¯
– Will Dormann (@wdormann) January 13, 2020
If forced by attackers the flaw is potentially capable of compromise security credentials for authentication to desktop and server systems, sensitive data managed by Internet Explorer and Edge browsers as well as information related to third-party applications. It could also be used to pass unnoticed malware to an antivirus scan, giving it the label of legitimate and reliable software.
Curiously, the fix comes right on the day that marks the end of Windows 7 support after more than a decade of maintaining the operating system. As written above, all versions of the platform in circulation are affected: the most recent 10, but also XP and the predecessors. The component was in fact introduced by Microsoft back in 1996 with the NT 4.0 release.
The only statement from the Redmond group on the matter is limited to stating that it is customary not to disclose details about updates before they are distributed. The company also states that there has been no early release of the patch, underlining how the Security Update Validation Program has a different task, that of testing the effectiveness and compatibility of the packaged updates.
A conference of the U.S. National Security Agency about a problem for the cybersecurity recently surfaced. At the moment it is not known whether it has to do with the vulnerability in question.