Microsoft issues fix for critical Windows flaw disclosed by the NSA

Polycount

TS Evangelist
Staff member

According to security news site KrebsonSecurity, the flaw in question resides in crypt32.dll, a Windows module that handles "certificate and cryptographic messaging functions in the CryptoAPI."

Krebs says CryptoAPI allows developers to "secure Windows-based applications using cryptography," among other things. If compromised, crypt32.dll could allow bad actors to spoof digital signatures on malware, making viruses appear legitimate while hiding far nastier surprises inside.

The site also says a vulnerability in this component may negatively impact the security of various Windows 10 features, including (but not limited to) "authentication on Windows desktops and servers," and the protection of sensitive data sent over the web via Microsoft Edge and Internet Explorer.

Though Krebs speculates that "all versions of Windows" are likely to have been affected by this vulnerability (crypt32.dll has been in use since the early days of Windows), the NSA has so far only confirmed that Windows 10 and Windows Server 2016 are impacted.

Either way, though, Microsoft gave the flaw a ranking of one, which is the second-worst classification you can hope for as a user. Patches for the serious flaw have already rolled out to affected systems (whether you're an enterprise customer or a normal user), so be sure to check Windows Update for the latest security fixes.

Permalink to story.

 

captaincranky

TechSpot Addict
Hmmmm....Windows 7 support ends January 14, 2020. ....Code “1” critical security flaw found & patched January 14, 2020.... Very interesting indeed....[ ]...
So you're saying you don't think that's just a "coincidence"?

Because if you won't say it's "just a coincidence", M$ certainly will "truthfully" tell you it was.
 
  • Like
Reactions: 0dium

theruck

TS Addict
Hmmmm....Windows 7 support ends January 14, 2020. ....Code “1” critical security flaw found & patched January 14, 2020.... Very interesting indeed.
that is the last regular monthly update date that a security update is released for windows 7. All other OS get the same date for updates. So that is not a coincidence. It is just the last time you get the update for Win7. The next cycle in a month will not contain any win7 updates. Got it?
 

netman

TS Evangelist
Don't be fool...! When NSA finds a flaw in Windows OS, rest assured that the backdoor still exits but now is a lot easier to access...!
 

PEnnn

TS Maniac
The cynic in me thinks the NSA really wants an easier access to Windows 10 through an alleged "urgently needed fix" ......
 

Markoni35

TS Maniac
NSA has used the flaw for years, but now that Chinese found out about it too, NSA warns Microsoft "with good intentions" that the flaw needs to be fixed. And then another flaw created. Because NSA has a requirement on a minimum number of security holes they expect from an OS manufacturer.