The 2020-01 Security Monthly Rollup for Windows 7 (KB4534310) which just came available for my Windows 7 system through Microsoft Update contains new crypt32.dll files dated December 10th, 2019. So my guess is that this fix is included in the last security rollup for Windows 7.

More information here in Microsoft's January 2020 Security Updates: CVE-2020-0601
[msrc-blog.microsoft.com...]

Full update guide
[portal.msrc.microsoft.com...]

I see it does include Win 7, so this may be it's last.

It seems somewhat ambiguous. When searching on [portal.msrc.microsoft.com...] for CVE-2020-0601 the list only includes Windows 10 and Server 2016 and 2019 versions. Other fixed security issues are listed for Windows 7, but not this one.

I expanded that to 100 records to show more and i see "monthly rollup" and "security only." For win 7

Trying to do this update.

1st machine sailed right through.

2nd machine keeps failing and tossing an "unknown error"

3rd machine gets an almost instant message saying can't update because the service is not running.

I would be very dubious about installing an update for Windows 7 at this time.

I would be very dubious about installing an update for Windows 7 at this time.

Why, it's a serious security issue?
Anyone intending to continue to use win 7 without this update may run into problems, and I suspect that bad actors will decide to target unpatched Win 7 machines.

Regarding the crypto fault mitigation update the NSA is sharing more detail, looks like they notified MSFT of the fault.

Patch Critical Cryptographic Vulnerability [media.defense.gov] in Microsoft Windows Clients and Servers, (PDF)

Summary

NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:
- HTTPS connections
- Signed files and emails
- Signed executable code launched as user-mode processes
The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

Why, it's a serious security issue?

I prefer to assume fake alarm rather than lose my data and have to reinstall Windows or upgrade to Windows 10 to reclaim it. A few months back I installed a Windows update that killed my OS so badly that I could not re-install Windows at all... had to roll back to a 6 month old backup and lost all data and apps developed/updated in that time. I am still rebuilding what was lost.

At some point the move to Linix begins to make sense. :)

At some point the move to Linix begins to make sense. :)

Yes ... and do indeed pardon me for sounding like a Linux fan boy (because I use Linux as my main and love it) but I've suggested quite a bit over the past few months to my Windows clients that they might just want to give the ole Nix a good go if they were at all uncertain about Windows 10 -- I've even given them Nix boxes to use just to try it all out. Response so far has been a bit better than I thought it would be.

I still maintain and service Windows boxes for some of my clients however, so my staying in the loop with regard to the Windows OS is still somewhat the order of the day.

I'm not looking at a total full-on with Linux until 2023 when Windows 8.1 reaches EOL tho'.

If anyone is considering moving to Linux for servers,
I would suggest looking at FreeBSD (instead.)

Like KEN_B , I have the same issue with this final W7 patch failing. I've run out of ideas. It installed seamlessly on 3 other computers.