The NSA reports "extraordinarily serious" Windows flaw to Microsoft: The US military's already received an update

January 14th was supposed to be Windows 7's last day. However, what was described as an “extraordinarily serious” flaw in all Windows systems over the past 20 years might force Microsoft to release one last patch for the ageing OS.

Sources close to KrebsOnSecurity claim that Microsoft is set to roll out a patch for a major Windows security vulnerability this week. The update already appears to have reached the US military, as well as “high-value customers.” What’s surprising, though, is who identified the security flaw. Anne Neuberger, the NSA’s Director of Cybersecurity, stated that the agency reported the vulnerability and reported it to Microsoft, the first time the agency has done so (at least on record).

The update is said to rectify critical issues with a Windows component called crypt32.dll. This component allows developers to implement data encryption and decryption functionality through digital certificates. Especially concerning is the possibility that a crypt32.dll flaw could be used to spoof digital signatures. If this turns out to be the case, threat actors could create and distribute malware that appears to be legitimately signed.  

Crypt32.dll was introduced to Windows over two decades ago. This means that a whole range of Windows versions, right down to Windows XP, may be affected. Microsoft has so far refused to discuss details about the issue. We’ll update you as soon as we hear more from them.