Rumors of an ‘extraordinarily serious’ Windows vulnerability suggest users need to update today
Microsoft Windows users have got used to the monthly “Patch Tuesday” update cycle and the disclosure of fixed vulnerabilities impacting the operating system it brings with it. Because of the well-documented problems that users updating Windows 10 have suffered over the last year or two, many are inclined to do what they can not to implement these updates immediately. Today is not the day to defer your Windows update if the Microsoft security grapevine is anything to go by.
It appears that there could be what one leading investigative reporter has called “an extraordinarily serious security vulnerability” in a core cryptographic component that is present in Windows 10. Before you take a deep breath and relax because you’re still using Windows 8, Windows 7 or Windows XP, that same crypto component is present in all versions of Windows.
To add fuel to this critical security vulnerability fire, it is also rumored that the U.S. military and high-value internet infrastructure targets have been shipped the fix ahead today under strict non-disclosure agreements to prevent early disclosure of the vulnerability itself. So, is this just a rumor? That the U.S. National Security Agency (NSA) is due to hold a news media call by the director of cybersecurity, Anne Neuberger, suggests not. The nature of that media call is, according to reporters who have received the notification, to “provide advanced notification of a current NSA cybersecurity issue.”
What is known about this ‘extraordinarily serious’ Windows security vulnerability?
The first hint that something big is happening today came in a message posted on Twitter yesterday by Will Dormann, an analyst who authors vulnerability reports at the Computer Emergency Response Team (CERT) Coordination Center (CC). “I get the impression that people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others,” Dormann wrote, adding, “I don’t know… just call it a hunch?”
This was picked up by investigative reporter Brian Krebs, who said that his sources told him, “Microsoft is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows.”
Those same sources suggested the vulnerability is within crypt32.dll, a Windows component that deals with security certificates and cryptographic messaging functions. The CryptoAPI is what enables developers to secure Windows-based applications and any critical vulnerability here could impact encryption and decryption using digital certificates. Krebs said that it could also affect “authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.”
How big could this Windows security problem be?
At this point, it has to be reiterated that this remains conjecture, no disclosure has been made and neither Microsoft nor the NSA is saying anything beyond confirming that details of any vulnerability will not be discussed before an update has been made available.
“If it’s true that there are vulnerabilities in Microsoft’s CryptoAPI,” ethical hacker John Opdenakker says, “the potential impact can be big. From the past, we also know that a lot of companies and people are not quick at patching, which puts them at risk. This shows why automatic updates are so important.”
“If the fix has already been shipped to organizations such as the U.S. military,” Sean Wright, chapter lead at OWASP Scotland, says, “it further backs up this suspicion. It’s going to be really interesting to see what it is.”
Interesting indeed. As soon as I know anything further, I will bring you the facts of the matter.