Potentially Serious Patch for January 14th Patch Tuesday

For the first Patch Tuesday in 2020, there is a potentially serious flaw that is being patched.  KrebsOnSecurity.com is reporting that Microsoft has already shipped patches to the US military and high value targets. It is also being reported that the patch could involve the crypt32.dll component. This is of importance because crypt32.dll is in many versions of windows and could impact a majority of the Microsoft windows systems in use today.

The crypt32.dll component handles “certificate and cryptographic messaging functions in the CryptoAPI”. This component secures windows applications, for example Internet Explorer and the Edge browser.

According the National Security Agency (NSA), they reported this vulnerability to Microsoft, which would be the first time the NSA has been credited for reporting a security issue. Microsoft will be releasing more information later today when it releases the patches. Thrive is monitoring the situation and will be updating our information as we know more.

UPDATE 1:30pm:

Microsoft the vulnerability Patch for CVE-2020-0601.  This is a spoofing vulnerability that is rated as “Exploitation more likely”. An attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority. We recommend everyone patch for this vulnerability.