If you’re the kind of person that delays your Windows updates as long as you possible can, today is not the day to do that.
According to several reports, the U.S. National Security Agency has discovered a major cybersecurity flaw in multiple versions of Microsoft’s Windows operating systems that could expose users to breaches or surveillance.
Rather than use the vulnerability for the government’s benefit, the agency disclosed the problem to the company, reports the Washington Post.
According to investigative cybersecurity journalist Brian Krebs, who cites anonymous sources on his website, the vulnerability is in a Windows component known as crypt32.dll that handles “certificate and crpytographic messaging functions in the CrpytoAPI.”
According to Krebs, the Microsoft Crypto API provides services that enable developers to secure Windows-based applications using cryptography and includes encryption and decryption tools via digital certificates.
I’ll let Krebs explain more, in his own words:
“A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.
Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.”
Krebs goes on to cite other sources who say fixes have already been shipped to high-value customers and potential hacking targets within the U.S. military and others that manage key internet infrastructure.
Citing anonymous sources, Krebs says those customers have been asked to sign non-disclosure agreements that prevents them from talking about the flaw before Microsoft issues a patch today.
Apparently, this major cybersecurity concern affects users of most Windows systems, including Windows XP and Windows 7, and support for the latter ends today.
As of this writing, the company had not yet released the patch or acknowledged the vulnerability publicly.