Microsoft will release a routine security update on Tuesday, and Krebs OnSecurity, citing people familiar with the matter, reported that the company will release a patch to fix a high-risk vulnerability in encryption components that affect all versions of Windows. Before the routine update was released, Microsoft quietly released patches to high-value customers at U.S. military agencies and managing Internet infrastructure.
To prevent the disclosure of vulnerability information, Microsoft also asked the agencies to sign nondisclosure agreements. According to the source, the vulnerability exists in the encryption component crypt32.dll, which handles certificates and encrypted message functions in the CryptoAPI.
It has high-risk vulnerabilities that can affect many of Windows’ key features, including authentication between Windows desktops and servers, sensitive data protection, and third-party applications and tools.