BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

New Windows 10 ‘Extraordinarily Serious’ Security Warning For 900 Million Users

Following
This article is more than 4 years old.

Microsoft Windows users have got used to the monthly "Patch Tuesday" update cycle and the disclosure of fixed vulnerabilities impacting the operating system it brings with it. Because of the well-documented problems that users updating Windows 10 have suffered over the last year or two, many are inclined to do what they can not to implement these updates immediately. Today is not the day to defer your Windows update if the Microsoft security grapevine is anything to go by.

It appears that there could be what one leading investigative reporter has called "an extraordinarily serious security vulnerability" in a core cryptographic component that is present in Windows 10. Before you take a deep breath and relax because you're still using Windows 8, Windows 7 or Windows XP, that same crypto component is present in all versions of Windows.

To add fuel to this critical security vulnerability fire, it is also rumored that the U.S. military and high-value internet infrastructure targets have been shipped the fix ahead today under strict non-disclosure agreements to prevent early disclosure of the vulnerability itself. So, is this just a rumor? That the U.S. National Security Agency (NSA) is due to hold a news media call by the director of cybersecurity, Anne Neuberger, suggests not. The nature of that media call is, according to reporters who have received the notification, to "provide advanced notification of a current NSA cybersecurity issue."

What is known about this ‘extraordinarily serious’ Windows security vulnerability?

The first hint that something big is happening today came in a message posted on Twitter yesterday by Will Dormann, an analyst who authors vulnerability reports at the Computer Emergency Response Team (CERT) Coordination Center (CC). "I get the impression that people should perhaps pay very close attention to installing tomorrow's Microsoft Patch Tuesday updates in a timely manner. Even more so than others," Dormann wrote, adding, "I don't know... just call it a hunch?"

This was picked up by investigative reporter Brian Krebs, who said that his sources told him, "Microsoft is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows."

Those same sources suggested the vulnerability is within crypt32.dll, a Windows component that deals with security certificates and cryptographic messaging functions. The CryptoAPI is what enables developers to secure Windows-based applications and any critical vulnerability here could impact encryption and decryption using digital certificates. Krebs said that it could also affect "authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools."

How big could this Windows security problem be?

At this point, it has to be reiterated that this remains conjecture, no disclosure has been made and neither Microsoft nor the NSA is saying anything beyond confirming that details of any vulnerability will not be discussed before an update has been made available.

"If it's true that there are vulnerabilities in Microsoft's CryptoAPI," security professional John Opdenakker says, "the potential impact can be big. From the past, we also know that a lot of companies and people are not quick at patching, which puts them at risk. This shows why automatic updates are so important."

"If the fix has already been shipped to organizations such as the U.S. military," Sean Wright, chapter lead at OWASP Scotland, says, "it further backs up this suspicion. It’s going to be really interesting to see what it is."

Interesting indeed. As soon as I know anything further, I will bring you the facts of the matter.

Meanwhile, Boris Cipot, a senior security engineer at Synopsys, has said that this is a serious issue as crypt32.dll is needed to secure the operating system, so applying the patch as soon as the update is released is key. The problem comes if you are a Windows 7 user. "An issue remains for all the Windows 7 operating systems that are still in use, for which the support is ending today, 14th of January," Cipot said, "it will be up to Microsoft to decide whether they will release a last patch, even after the software has reached its end of life." Cipot also has some valuable advice regarding the social engineering threat. "Users are also urged not to trust website or emails with links that offer patches for the crypot32.dll," Cipot said, "it is important to use the official channels to update operating systems, in this case, the Update and Security section in Windows 10 settings."

UPDATE:

The NSA's director of cybersecurity, Anne Neuberger, has confirmed a flaw exists in Windows 10 that "makes trust vulnerable" and was reported to Microsoft by the NSA itself.

UPDATE:

Microsoft has now also confirmed the vulnerability. It stated that "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates." This means that an attacker could be able to exploit this, in a way that the NSA said "makes trust vulnerable," by using a spoofed code-signing certificate. By so doing, a malicious file could appear to come from a legitimate and trusted source. "A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software," Microsoft said, adding that "the security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates." All Windows 10 users are advised to apply the Patch Tuesday update as soon as it becomes available to them.

Updated January 14

More comment and advice added for Windows 7 users

NSA confirms Windows 10 flaw

Microsoft confirms CryptoAPI spoofing vulnerability

Follow me on Twitter or LinkedInCheck out my website or some of my other work here