If you are in the habit of putting off those monthly security patches Microsoft
doles out on the second Tuesday of every month (known as Patch Tuesday
), you may want to reconsider your approach today. A security researcher says one of the patches in today's cumulative roundup will address a serious vulnerability in a core cryptographic component affecting most versions of Windows.
"According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles 'certificate and cryptographic messaging functions in the CryptoAPI'. The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates," KrebsOnSecurity explains.
Apparently the security
hole is serious enough that Microsoft has already shipped a patch to branches of the US military, along with certain other organizations that signed agreements prohibiting them from disclosing the bug before today, the day Microsoft will deliver its first cumulative Patch Tuesday roll out of 2020.
Left unpatched, this bug could enable several unwanted consequences. It can potentially affect authentication on Windows desktops and servers, sensitive data processed by Internet Explorer and Edge
, and various third-party applications and utilities.
"Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company," KrebsOnSecurity adds.
Interestingly, the component at the heart of this security flaw has been around for two decades. That means every version of Windows dating back to Windows XP
is affected. Microsoft no longer supports Windows XP, and is not likely to push out a security update for the legacy OS.
What's also interesting is that the US National Security Agency (NSA) hosted a news call this morning saying it will give advanced notice of a cybersecurity issue. It's not clear if this is the same one as the cryptography flaw (NSA says this particular vulnerability affects Windows 10
and Windows Server 2016), though it did say this is the first time the agency has been credited by Microsoft for reporting a security flaw.