The last ever Windows 7 Patch Tuesday update also includes a fix to a long standing bug in the Windows cryptographic library (CryptoAPI) which could allow attackers to spoof digital certificates and conduct man-in-the-middle attacks.
Microsoft has long warned that January 2020 was the end of support for Windows 7, meaning that this is expected to be the last patch Tuesday which includes fixes for Windows 7 (unless you have purchased extended support from Microsoft).
Overall the January Patch bundle includes fixes for 50 security vulnerabilities across the Windows product range, with the CryptoAPI defect (CVE-2020-0601) being the most serious. The CryptoAPI vulnerability was introduced in 2015 and only affects the Windows 10 / Server 2016/19 family of operating systems.
According to Microsoft:
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
The delivery of the final patch set for Windows 7 coincides with Microsoft activating the EOSNotify application which was installed as part of the December patch bundle. EOSNotify will display full screen warnings every day advising users that their Windows 7 system is now out of support and prompting them to upgrade to Windows 10. (Which can still be done for free)
Updated to clarify CryptoAPI defect does not impact Windows 7
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)