Patch Tuesday Panic: ‘Extraordinarily Serious’ Bug in CryptoAPI

Today’s Microsoft Windows patch batch will contain a fix for a big, huge, nasty, critical encryption bug. (At least, that’s the deep-throat whisper coming from several anonymous sources.)

The NSA had something to do with finding it. (Or so we’re told.)

Hopefully, this isn’t just an evil Microsoft ploy to scare people into upgrading Windows 7. In today’s SB Blogwatch, we wonder if we’re mere useful idiots.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Habitat 67.


_NSAKEY Redux?

What’s the craic? All aboard the Brian Krebs cycle—“Cryptic Rumblings Ahead of First 2020 Patch Tuesday”:

 Sources [say] Microsoft Corp. is slated … to fix an extraordinarily serious security vulnerability in a core cryptographic component. … CryptoAPI provides services … for encrypting and decrypting data using digital certificates.

[I’ve] heard rumblings from several sources … that this Patch Tuesday … will include a doozy of an update that will need to be addressed immediately by all organizations running Windows. … It could be that the timing and topic [are] nothing more than a coincidence, but [I] today received a heads up … stating that NSA’s Director of Cybersecurity Anne Neuberger is slated to host a call on Jan. 14 with the news media that “will provide advanced notification of a current NSA cybersecurity issue.”

And Mark Hachman adds—“Rumors mount that a major bug could be disclosed on the day Microsoft ends support for Windows 7”:

 If that’s true, then potentially millions of Windows users could be exposed. … With support for Windows 7 set to expire tomorrow, the timing of this is extremely concerning.

Microsoft couldn’t come up with a more perfect reason to encourage users to migrate off an older, less secure OS. … One thing is true: You simply can not go wrong keeping your PC up to date with patches and other fixes.

What was that about timing? Paul Wagenseil explains—“What you need to know”:

 [This] Patch Tuesday is also noteworthy because it’s (probably) the last time that Windows 7 will get a security update. The 10-year-old operating system officially reaches end-of-life [today], although it will get this extraordinarily serious patch, whatever it turns out to be.

And that NSA angle? Ellen Nakashima has more on that—“NSA found a dangerous Microsoft software flaw”:

 The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system … and alerted the firm of the problem rather than turn it into a hacking weapon. [It] represents a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks … according to people familiar with the matter. … Microsoft plans to issue a patch for the flaw on Tuesday, the individuals said.

The discovery has been likened to a slightly less severe version of the Microsoft flaw that the NSA once weaponized by creating a hacking tool dubbed EternalBlue. … The NSA used EternalBlue for more than five years, but when it learned that the tool had been obtained by others, it alerted Microsoft, which issued a patch in early 2017.

Microsoft … has seen no active exploitation of the [latest] flaw, one of the people … said.

Kudos? But that’s part of the NSA’s mission. So syshum is slightly cynical:

Most of the time however they hold back vulnerabilities so they can exploit them for their own purposes. Modern NSA is more black hat than white hat, sadly.

Yet Robert Malchman prefers sarcasm:

 Thank goodness we can trust the government and big tech companies with matters like this that can affect huge portions of the public. /s

So how did the flaw get found? In the fervent imagination of DesScorp, here’s how it went down:

My bet is [the NSA] were researching new ways to plant malware in Windows—for doing things like planting Trojans in Iranian nuclear research servers—and that in doing so, they found the bug. Which means that they think it’s a pretty damn serious bug.

But but but what do we know for sure? US CERT’s Will Dormann—@wdormann—hints at some insider info:

 I get the impression that people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others.

Just call it a hunch? ¯_(ツ)_/¯

Meanwhile, The Sunshine State leaves this obligatory snark:

 Maybe more people should be using Linux instead of dealing with Windows?

And Finally:

Habitat 67

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Géraldine Le Meur for LeWeb (cc:by)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi