NSA Discovers Major Cryptographic Security Flaw Present in “All Versions of Windows”

The FPS Review may receive a commission if you purchase something after clicking a link in this article.

Image: Microsoft

Amusingly enough, Windows 7’s EOL date has coincided with a great reason to upgrade from the aging operating system. Krebs on Security received word of a major security vulnerability yesterday involving crypt32.dll, a Windows module present on all versions of the OS since NT 4.0.

Sources claimed that there was a critical vulnerability in the component that “could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.” It also allowed attackers to spoof digital signatures, meaning that malware could be made to look legitimate.

The security flaw was largely hush-hush until the NSA’s media call today, in which Director of Cybersecurity Anne Neuberger announced the bug and outlined it in a two-page document (“Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers”). Everything was kept under wraps because it was deemed a serious “cybersecurity issue” that “makes trust vulnerable.” This happens to be the first security flaw reported to Microsoft by the NSA.

Microsoft has already pushed out a patch for this (CVE-2020-0601), which can be applied to all versions of Windows 10, Windows Server 2016/2019, and Windows Server version 1803/1903/1909. Again, this incident is new ammo for those who think Windows 7 users are crazy for sticking to an older OS.

ZDNet has compiled a full list of the 49 vulnerabilities addressed by today’s Patch Tuesday fixes.


Tsing Mui
News poster at The FPS Review.

Recent News