Microsoft has found and patched a serious vulnerability allegedly found in almost every version of Windows ever created. The vulnerability was so dangerous that the company forced government agencies and other high-value customers (which it already patched) to keep their lips sealed until everyone gets their fix.
The vulnerability allegedly allows hackers, among other things, to pass malware as legitimate software built by regular companies. The malware itself revolves around the crypt32.dll, a Windows module handling “certificate and cryptographic messaging functions in the CryptoAPI.”
The component was first introduced with Windows NT 4.0 and has been integrated into every single version since – inlucing Windows XP and Windows 7, whose end of life officially begins today.
Commenting on the patch, Microsoft said: “Through our Security Update Validation Program (SUVP), we release advanced versions of our updates for the purpose of validation and interoperability testing in lab environments. Participants in this program are contractually disallowed from applying the fix to any system outside of this purpose and may not apply it to production infrastructure.”
The news about the big fix was first shared by security researcher Will Dormann on Twitter. The cryptic tweet, which just stated the importance of patching Windows as soon as possible, drew the attention of the media.