Corsair H170i Elite Capellix XT review
Forspoken: PC performance graphics benchmarks
ASRock Z790 Taichi review
The Callisto Protocol: PC graphics benchmarks
G.Skill TridentZ 5 RGB 6800 MHz CL34 DDR5 review
Be Quiet! Dark Power 13 - 1000W PSU Review
Palit GeForce RTX 4080 GamingPRO OC review
Core i9 13900K DDR5 7200 MHz (+memory scaling) review
Seasonic Prime Titanium TX-1300 (1300W PSU) review
F1 2022: PC graphics performance benchmark review
Rumor: Microsoft might share information on extremely critical vulnerability later today
It's tagged as a rumor, but you can rest assured it'll become a fact. Keep an eye out on your Tuesday patches, and apply them. According to Krebs On Security, Microsoft is about to release info on an extremely critical vulnerability in Windows.
Rumors are indicative that the issue is to be found in a cryptographic component, which is present in all Windows versions. A patch would be released starting today, Tuesday. Not much is known about the alleged vulnerability, except that it would be the CryptoAPI.
- Krebs -
Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.
According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.
A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.
Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company. This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).
Microsoft responded, saying that it does not discuss the details of reported vulnerabilities before an update is available. And that is the good news, a patch will be in place real soon.
Source: Krebs On Security via HWI
Hilbert Hagedoorn
Don Vito Corleone
Posts: 45550
Joined: 2000-02-22
Don Vito Corleone
Posts: 45550
Joined: 2000-02-22
#5750605 Posted on: 01/14/2020 04:02 PM
Nah, it coincides with patch Tuesday and the EOL of Windows 7 was already planned years ago. If it is as bad as this sounds, then MS will certainly push another patch update for W7.
Nah, it coincides with patch Tuesday and the EOL of Windows 7 was already planned years ago. If it is as bad as this sounds, then MS will certainly push another patch update for W7.
asturur
Senior Member
Posts: 1305
Joined: 2010-05-12
Senior Member
Posts: 1305
Joined: 2010-05-12
#5750606 Posted on: 01/14/2020 04:06 PM
Also because if is really 20 years old hole... They do not want to be responsible for open doors in a still large population of computers.
Also because if is really 20 years old hole... They do not want to be responsible for open doors in a still large population of computers.
schmidtbag
Senior Member
Posts: 7163
Joined: 2012-11-10
Senior Member
Posts: 7163
Joined: 2012-11-10
#5750610 Posted on: 01/14/2020 04:14 PM
@Will Dormann
I get the impression that MS developers should pay closer attention to how they implement security. I don't know... just call it the bare minimum?
@Will Dormann
I get the impression that MS developers should pay closer attention to how they implement security. I don't know... just call it the bare minimum?
geogan
Senior Member
Posts: 1126
Joined: 2010-01-04
Senior Member
Posts: 1126
Joined: 2010-01-04
#5750612 Posted on: 01/14/2020 04:29 PM
Could it have something to do with Windows 7 ?
now its officially EOL, maybe they'll admit there's a huge gaping hole, that they won't be closing, or can't close.....
Can't close?? It's a single DLL file. All you would have to do is copy over the newer patched file version surely? (Unless the OS won't allow computer admin to overwrite that file)
Could it have something to do with Windows 7 ?
now its officially EOL, maybe they'll admit there's a huge gaping hole, that they won't be closing, or can't close.....
Can't close?? It's a single DLL file. All you would have to do is copy over the newer patched file version surely? (Unless the OS won't allow computer admin to overwrite that file)
Click here to post a comment for this news story on the message forum.
Senior Member
Posts: 1309
Joined: 2003-09-14
Could it have something to do with Windows 7 ?
now its officially EOL, maybe they'll admit there's a huge gaping hole, that they won't be closing, or can't close.....