What just happened? Few things are more terrifying than receiving a warning from the National Security Agency (NSA), and that's exactly what happened to Microsoft yesterday. The intelligence organization discovered a severe flaw in Windows, and instead of harnessing that knowledge to further their own goals, the NSA's programmers disclosed it directly to Microsoft.
According to security news site KrebsonSecurity, the flaw in question resides in crypt32.dll, a Windows module that handles "certificate and cryptographic messaging functions in the CryptoAPI."
Krebs says CryptoAPI allows developers to "secure Windows-based applications using cryptography," among other things. If compromised, crypt32.dll could allow bad actors to spoof digital signatures on malware, making viruses appear legitimate while hiding far nastier surprises inside.
The site also says a vulnerability in this component may negatively impact the security of various Windows 10 features, including (but not limited to) "authentication on Windows desktops and servers," and the protection of sensitive data sent over the web via Microsoft Edge and Internet Explorer.
I get the impression that people should perhaps pay very close attention to installing tomorrow's Microsoft Patch Tuesday updates in a timely manner. Even more so than others.— Will Dormann (@wdormann) January 13, 2020
I don't know... just call it a hunch?
Though Krebs speculates that "all versions of Windows" are likely to have been affected by this vulnerability (crypt32.dll has been in use since the early days of Windows), the NSA has so far only confirmed that Windows 10 and Windows Server 2016 are impacted.
Either way, though, Microsoft gave the flaw a ranking of one, which is the second-worst classification you can hope for as a user. Patches for the serious flaw have already rolled out to affected systems (whether you're an enterprise customer or a normal user), so be sure to check Windows Update for the latest security fixes.