Rumor: Microsoft might share information on extremely critical vulnerability later today
It's tagged as a rumor, but you can rest assured it'll become a fact. Keep an eye out on your Tuesday patches, and apply them. According to Krebs On Security, Microsoft is about to release info on an extremely critical vulnerability in Windows.
Rumors are indicative that the issue is to be found in a cryptographic component, which is present in all Windows versions. A patch would be released starting today, Tuesday. Not much is known about the alleged vulnerability, except that it would be the CryptoAPI.
- Krebs -
Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.
According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.
A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.
Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company. This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).
Microsoft responded, saying that it does not discuss the details of reported vulnerabilities before an update is available. And that is the good news, a patch will be in place real soon.
Source: Krebs On Security via HWI
Senior Member
Posts: 17562
Joined: 2009-02-25
Well they do want people to use the newest build so maybe that'd do it...
What will they fix though the ease of which one bypasses the activation requirements? :p
(Well it's probably quite important but I guess we'll get some details in a hour or so when the update is actually out.)
EDIT: Sides they've been handing out free system upgrades for users on W7 way after the initial time period for that was out so yeah it's probably something quite important then.
Now what is it and what will it do to overall system performance.

(Eh it's probably not too bad in that regard.)
Hmm wonder if that means the current 19500 build is already using that fix, 19000 20H1 hasn't been updated since December and might be vulnerable still.
Guess a .xxx update for current 19000 build would also confirm it's kinda probably going to be the RTM build instead of issuing a full new build.
And whatever else for 19H2 and earlier this cumulative will fix up.
Senior Member
Posts: 12813
Joined: 2003-05-11
and were patched!

Senior Member
Posts: 312
Joined: 2009-03-17
whole bunch of new stuff just came down the pipe
Senior Member
Posts: 4412
Joined: 2008-03-03
there you go....
Original Release Date: 2020-01-14 | Last Revised: 2020-01-14
The Microsoft Windows CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC), which may allow an attacker to spoof the validity of certificate chains.
The Microsoft Windows CryptoAPI, which is provided by Crypt32.dll, fails to validate ECC certificates in a way that properly leverages the protections that ECC cryptography should provide. As a result, an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority.
Any software, including third-party non-Microsoft software, that relies on the Windows CertGetCertificateChain() function to determine if an X.509 certificate can be traced to a trusted root CA may incorrectly determine the trustworthiness of a certificate chain.
By exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system. This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature.
Apply an update
This vulnerability is addressed in the Microsoft Update for CVE-2020-0601.
Full CERT Report:
https://kb.cert.org/vuls/id/849224/
The NSA did found this one.. just on a side note.. (im pretty shure they even used it)
Update, Jan. 14, 9:20 a.m. ET: The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.
According to the NSA, the problem exists in Windows 10 and Windows Server 2016. Asked why the NSA was focusing on this particular vulnerability, Neuberger said the concern was that it “makes trust vulnerable.” The agency declined to say when it discovered the flaw, and that it would wait until Microsoft releases a patch for it later today before discussing further details of the vulnerability.
Update, 1:47 p.m. ET: Microsoft has released updates for this flaw (CVE-2020-0601). Their advisory is here. The NSA’s writeup (PDF) includes quite a bit more detail, as does the advisory from CERT.
Updated from Krebs
https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/
-- This issue was disclosed by Microsoft, who in turn credit the National Security Agency (NSA).
Senior Member
Posts: 213
Joined: 2019-04-15
"According to Krebs On Security, Microsoft is about to release an extremely critical vulnerability in Windows."
I seriously doubt that is really what they are going to release.