Security researcher Brian Krebs is warning that a particularly nasty bug may be patched on Tuesday, January 14—the day that support for Windows 7 is expected to expire. And it appears that Microsoft will have more the share later today.
If that’s true, then potentially millions of Windows users could be exposed to the malware, which Krebs is reporting could involve crypt32.dll, which controls “certificate and cryptographic messaging functions in the CryptoAPI.” Here’s what’s scary, Krebs reports: A flaw in the crypt32.dll could be used to spoof the digital signature of a piece of software, creating the possibility that your PC could allow in a piece of malware posing as a perfectly legitimate application.
The Washington Post reported Tuesday morning that the National Security Agency had found a major vulnerability—and, instead of using it themselves, reported it to Microsoft. Microsoft will reportedly patch the flaw, and provide more detail on what it entailed, later today. (Krebs was told on the record by Microsoft that the company won’t comment before the patch is released.)
Krebs is also noting that Will Dormann, who authors many of the vulnerability reports for the CERT Coordination Center, tweeted that “people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday Updates in a timely manner.”
Krebs reported that the NSA is scheduled to host a conference call on January 14 regarding a current cybersecurity issue, which the Post confirmed. What’s interesting is that the Post reported that an earlier, unrelated Windows vulnerability was exploited by the NSA for years, then reported to Microsoft when the NSA learned it had been discovered elsewhere. The vulnerability, named EternalBlue, was later weaponized into the WannaCry vulnerability. The NSA apparently doesn’t want to repeat that.
With support for Windows 7 set to expire Tuesday, the timing of this is extremely concerning, potentially leaving millions of Windows 7 users especially vulnerable. However, analysts note that support for Windows 7 runs through today, which means that Windows 7 may be patched after all. (It’s unlikely that Microsoft would have declined to patch Windows 7, anyway, due to the negative publicity that would bring.) Although older reports suggested that all Windows versions would be affected, new information unearthed by Krebs suggests it may just be Windows 10.
Nevertheless, Microsoft couldn’t come up with a more perfect reason to encourage users to migrate off an older, less secure OS—even if both Windows 10 and Windows 7 are vulnerable.
Regardless of whether Microsoft or the NSA plans to release a bombshell later, one thing is true: Keeping your PC up to date with patches and other fixes is essential.
This story was updated at 9:53 AM with new information.