If you’re a Windows user, all Patch Wednesdays should be important, save for those instances where Microsoft borks a patch and actually makes your Windows system worse than it was previously. Getting the latest feature and security updates for your system—mostly the latter—should be something you look forward to each month. But today’s Patch Wednesday is even more important than most.
First, if you’re still clinging to Windows 7, know that today marks the very final Patch Wednesday you’ll ever experience. Unless Microsoft backtracks and opts to release future fixes when huge vulnerabilities are uncovered, this is the last round of security updates you’ll receive for your operating system. Make sure you install them, because you’re on your own from here on out.
Windows 10 users have a vulnerability to fix
For the rest of you, today is also an important day, as Microsoft is allegedly fixing a rather large security vulnerability that affects Windows 10 and Windows Server 2016. The company tipped off a number of major organisations about the issue in advance, including the U.S. military. And it appears the fixes they received (before you) came with a “don’t disclose” clause, as nobody was talking about said vulnerability openly until today.
The vulnerability in question affects Windows’ crypt32.dll module. As described by security expert Brian Krebs:
“A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.
Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.”
Sounds serious? The curious thing about this vulnerability is the amount of disagreement surrounding whether it’s actually a big deal or not.
I got 7 emails from various parts of my federal agency employer telling me that ALL MUST PERFORM UPDATES tomorrow.
It’s going to be hell for our low-bandwidth edge networks
— Brandon Ransom George Thømas (@brandonransom) January 14, 2020
It’s not an RCE, it’s not EternalBlue etc etc.
— Kevin Beaumont (@GossiTheDog) January 14, 2020
As I understand it, the vulnerability lays out the groundwork for future attacks, rather than being something that attackers are actively exploiting at this time. In other words, I wouldn’t stop everything I’m doing to immediately update my home system the second Microsoft’s patch drops—which already happened, if you’re reading this (KB4528760 in Windows Update). Don’t dawdle, though.
And just in case Microsoft’s first Patch Wednesday of the year has issues, you can always take the super-safe route of backing up your system prior to installing today’s updates. Whether you want to just save your critical files elsewhere or create a full image of your drive is up to you—it depends how much you trust Microsoft and its patching process (and whether Microsoft will let you roll back this update if things start to go haywire).
Leave a Reply
You must be logged in to post a comment.