Evildead666:

Could it have something to do with Windows 7 ? now its officially EOL, maybe they'll admit there's a huge gaping hole, that they won't be closing, or can't close.....

Texter:

Yeah as long as they fix it without breaking something else;)

Hilbert Hagedoorn:

Nah, it coincides with patch Tuesday and the EOL of Windows 7 was already planned years ago. If it is as bad as this sounds, then MS will certainly push another patch update for W7.

Crazy Joe:

Any idea when the patches for Patch Tuesday are supposed to drop? For me this Tuesday is already 2/3's over!

SamuelL421:

I hope this is true, but I am not so certain. MS has been very vocal the past few weeks about the continued support / patches only being made available to businesses and 365 subscribers who are licensed for the extended support 🙁

Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains Vulnerability Note VU#849224 Original Release Date: 2020-01-14 | Last Revised: 2020-01-14 Overview The Microsoft Windows CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC), which may allow an attacker to spoof the validity of certificate chains. Description The Microsoft Windows CryptoAPI, which is provided by Crypt32.dll, fails to validate ECC certificates in a way that properly leverages the protections that ECC cryptography should provide. As a result, an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority. Any software, including third-party non-Microsoft software, that relies on the Windows CertGetCertificateChain() function to determine if an X.509 certificate can be traced to a trusted root CA may incorrectly determine the trustworthiness of a certificate chain. Impact By exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system. This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature. Solution Apply an update This vulnerability is addressed in the Microsoft Update for CVE-2020-0601.

Update, Jan. 14, 9:20 a.m. ET: The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet. According to the NSA, the problem exists in Windows 10 and Windows Server 2016. Asked why the NSA was focusing on this particular vulnerability, Neuberger said the concern was that it “makes trust vulnerable.” The agency declined to say when it discovered the flaw, and that it would wait until Microsoft releases a patch for it later today before discussing further details of the vulnerability. Update, 1:47 p.m. ET: Microsoft has released updates for this flaw (CVE-2020-0601). Their advisory is here. The NSA’s writeup (PDF) includes quite a bit more detail, as does the advisory from CERT.