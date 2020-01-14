According to numerous sources, the upcoming Microsoft Windows patch should be applied immediately to fix an as-yet unconfirmed but serious vulnerability.

Veteran researcher Brian Krebs posted a blog outlining some of the rumours, focussing on a flaw in ‘a core cryptographic component present in all versions of Windows.’ According to Krebs' sources, the vulnerability concerns a Windows component known as crypt32.dll, a Windows module that Microsoft says handles "certificate and cryptographic messaging functions in the CryptoAPI."

This component includes functionality for encrypting and decrypting data using digital certificates, which if compromised could have serious ramifications for authentication on Windows desktops and servers, sensitiva data handled by Explorer/Edge browsers, and a host of associated applications and services.

Security researcher Will Dormann responded to the rumours with a tweet suggesting that "people should perhaps pay very close attention" to the upcoming patch, a sentiment echoed by Professor Alan Woodward in a later tweet.

I get the impression that people should perhaps pay very close attention to installing tomorrow's Microsoft Patch Tuesday updates in a timely manner. Even more so than others.

I don't know... just call it a hunch?

¯\_(?)_/¯ — Will Dormann (@wdormann) 13 January 2020

Pay attention to Patch Tuesday from Microsoft today. This is not going to be one to defer. Don’t panic, just patch. — Alan Woodward (@ProfWoodward) January 14, 2020

Javvad Mallik, security awareness advocate at KnowBe4 further echoed the ‘don’t panic, just patch’ mantra, commenting to SC Media UK: "All software regularly has vulnerabilities and other issues discovered, which is why vendors release patches on a frequent basis to address these. Microsoft is no different in that regard.

However, with the large footprint Microsoft has, any major issues can impact organisations of all sizes across all verticals. The upcoming patch is rumoured to be addressing a major vulnerability. It's important therefore for organisations to prioritise the patch and ensure their systems are protected as soon as possible.

Ultimately, this should be treated like any other patch, prioritised and applied in accordance with its severity. There is no need to panic, just follow standard procedures and patch."

David Kennefick, product architect at edgescan also advocated perspective, while emphasising the importance of updating patching policies: "There is little known about the first windows patch of 2020, other than twitter folks are saying we should pay attention to it. This is not uncommon, and the uncertainty is making people jump to the conclusion that this is another Shellshock (CVE-2014-6271) or Heartbleed (CVE-2014-0160).

"It is very likely not, but the hype that it is attracting is good, it makes organisations realise the importance of patching and ask the question as to the status of their current patching policies.

If this vulnerability is as bad as speculated, there should be an immediate revision of patching policies to make sure the organisation is covered as soon as possible", he concluded.