The sources tell KrebsOnSecurity that Microsoft Corp. is scheduled to launch a software update on Tuesday to correct an extraordinarily serious security vulnerability in a central cryptographic component present in all versions of Windows. Those sources say that Microsoft has quietly sent a patch for the error to the branches of the US military. UU. And to other high-value clients / objectives that manage the key Internet infrastructure, and that these organizations have been asked to sign agreements that prevent them from revealing details of the failure before January 14, the first patch Tuesday, 2020.
According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “cryptographic messaging and certificate functions in CryptoAPI”. Microsoft CryptoAPI provides services that allow developers to protect Windows applications that use cryptography and includes functionality to encrypt and decrypt data using digital certificates.
A critical vulnerability in this Windows component could have powerful security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of confidential data handled by Internet Explorer / Edge browsers. Microsoft, as well as a series of third-party applications and tools.
Equally worrisome, a bug in crypt32.dll it can also be abused to falsify the digital signature linked to a specific software. The attackers could take advantage of that weakness to make the malware look like a benign program produced and signed by a legitimate software company.
This component was introduced in Windows over 20 years ago, in Windows NT 4.0. Consequently, all versions of Windows are likely to be affected (including Windows XP, which is no longer compatible with Microsoft patches).
Microsoft has not yet responded to requests for comments. However, KrebsOnSecurity has heard rumors from various sources in the last 48 hours that this patch Tuesday (tomorrow) will include a major update that all organizations running Windows should address immediately.
Will dormann, a security researcher who creates many of the vulnerability reports for the CERT Coordination Center (CERT-CC), tweeted today “People should perhaps pay close attention to the installation of Microsoft’s patch updates on Tuesday in a timely manner.” Even more than others. I don’t know … just call it a hunch? “Dormann declined to give more details about that advance.
It could be that the moment and the subject here (cryptography) is nothing more than a coincidence, but KrebsOnSecurity today received a warning from the U.S. National Security Agency UU. (NSA) indicating that the NSA Director of Cybersecurity Anne Neuberger It is scheduled to make a call on January 14 with the media that “will provide advanced notification of a current NSA cybersecurity problem.”
The public affairs people of the NSA did not respond to requests for more information about the nature or purpose of the discussion. The agency’s invitation only said that the call “reflects the NSA’s efforts to improve dialogue with industry partners regarding their work in the domain of cybersecurity.”
Stay tuned for Patch Tuesday’s coverage tomorrow and possibly more information about this particular vulnerability.
*** This is a syndicated Krebs Security Bloggers Network blog about security created by BrianKrebs. Read the original post at: https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/