Brain Krebs says the issue covers all Windows versions and is present in a core cryptographic component. He says the issue could have implications for various windows components, including authentication, protection of data in edge and Internet Explorer, and third-party applications.
On top of this, Krebs says the NSA's director of cybersecurity is set to host a call with media that “will provide advanced notification of a current NSA cybersecurity issue”. Whether it's related to the Microsoft flaw or not is unconfirmed at this time.
Sources say Microsoft on Tuesday will fix an extraordinarily scary flaw in all Windows versions, in a core cryptographic component that could be abused to spoof the source of digitally signed software. Apparently DoD & a few others got an advance patch https://t.co/V6PByhjTNR
— briankrebs (@briankrebs) January 13, 2020
Will Microsoft Patch Windows 7?
Krebs' sources allege that Microsoft has rolled this out to braches of the U.S. military and other high-value targets, under NDA. In response to the reports, Microsoft said that it “does not discuss the details of reported vulnerabilities before an update is available”.
It also indicated that the allegations that it released to patch to some early are false, pointing only to its Security Update Validation Program, which is designed for testing and can't be applied widely.
CERT security analyst Will Dormann also hinted that today's patch will be a very important one.
“I get the impression that people should perhaps pay very close attention to installing tomorrow's Microsoft Patch Tuesday updates in a timely manner,” he wrote on Twitter. “Even more so than others. I don't know… just call it a hunch? ¯\_(?)_/¯”.
All of this is a big indication that there is indeed a patch for a major issue on the way. However, the real question is which OSes the company will roll it out to. Technically, it should avoid Windows 7 as its support has officially ended. This would encourage users to upgrade but would leave them vulnerable unless they're part of an extended service arrangement. Instead, it could make an exception for the good of the general security landscape.
It's worth noting that it did so for the WannaCry ransomware, patching XP despite it being out of support. However, in that case, Microsoft was both delayed in releasing the patch and had legitimate concerns that XP users could spread it to OSes in support due to its wormable nature. How exactly it will react in this case should prove very interesting.