Today is Patch Tuesday, and there are reports by publication KrebsonSecurity that Microsoft may be getting ready to patch a very serious cryptographic flaw in Windows which could leave installations vulnerable to malware spoofing as trusted components.
Sources say Microsoft on Tuesday will fix an extraordinarily scary flaw in all Windows versions, in a core cryptographic component that could be abused to spoof the source of digitally signed software. Apparently DoD & a few others got an advance patch https://t.co/V6PByhjTNR
— briankrebs (@briankrebs) January 13, 2020
Reportedly the flaw in Windows component crypt32.dll, is so serious that Microsoft shipped a patch to government security services ahead of time, with KrebsonSecurity saying:
Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.
In a later statement, Microsoft denied this, however, but a more serious issue is that the component is present in all versions of Windows stretching back to Windows NT, and that Windows 7 installations without extended service contracts are not expected to be patched today.
PCWorld speculates that this would be the perfect opportunity to nudge Windows 7 users into finally upgrading, though with such a serious vulnerability Microsoft will likely still deliver a patch, as they have done for Windows XP.
This will not however always be the case, suggesting for regular users time should really be up for Windows 7.