Amusingly enough, Windows 7’s EOL date has coincided with a great reason to upgrade from the aging operating system. Krebs on Security received word of a major security vulnerability yesterday involving crypt32.dll, a Windows module present on all versions of the OS since NT 4.0.
Sources claimed that there was a critical vulnerability in the component that “could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.” It also allowed attackers to spoof digital signatures, meaning that malware could be made to look legitimate.
The security flaw was largely hush-hush until the NSA’s media call today, in which Director of Cybersecurity Anne Neuberger announced the bug and outlined it in a two-page document (“Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers”). Everything was kept under wraps because it was deemed a serious “cybersecurity issue” that “makes trust vulnerable.” This happens to be the first security flaw reported to Microsoft by the NSA.
Microsoft has already pushed out a patch for this (CVE-2020-0601), which can be applied to all versions of Windows 10, Windows Server 2016/2019, and Windows Server version 1803/1903/1909. Again, this incident is new ammo for those who think Windows 7 users are crazy for sticking to an older OS.
ZDNet has compiled a full list of the 49 vulnerabilities addressed by today’s Patch Tuesday fixes.