Microsoft fixes dozens of Windows 10 security flaws — here's what to do

Microsoft fixes dozens of Windows 10 security flaws — hither's what to exercise

(Paradigm credit: Charnsitr/Shutterstock)

Microsoft has pushed out fixes for 117 security flaws, including upward to nine "zero-day" flaws, in software products including Windows 10 and Microsoft Office. Users of Windows x, Windows 8.1 and those users of Windows 7 paying for extra security updates will want to run Windows Update every bit presently as possible to install the fixes.

If your Windows box doesn't issues you to run Windows Update, and so click the Windows logo in the bottom left corner, click Settings and click Updates and Security. And then click Check for Updates and follow the screen prompts.

What you demand to know well-nigh the Windows 'PrintNightmare' exploit
How to install Windows eleven — a footstep-by-step guide
Plus: Windows 11's most exciting gaming feature is coming to Windows ten

Depending how you define "zilch-day," there are either four or 9 of these fix-'em-at present flaws being patched for the July Patch Tuesday circular. All nine were publicly disclosed before Microsoft had a run a risk to craft a fix for any of them, but to the software maker'southward knowledge, just four were beingness used "in the wild" to attack Windows users.

Amid them is PrintNightmare (catalogue number CVE-2021-34527), a flaw in the Impress Spooler software that sends print jobs to networked printers. It was publicly disclosed by accident in late June by a security firm that misunderstood a Microsoft message and idea the flaw had been fixed.

It hadn't been, and attackers used the proof-of-concept exploit that was briefly posted on Twitter to stage existent-life attacks. Microsoft issued an emergency patch for PrintNightmare last calendar week, but some security experts said it didn't completely set the flaw. Microsoft disagrees and is including the fix in this calendar month's security rollup for those people who didn't install it last week.

Booby-trapped file

Of the other three actively exploited zilch-days, the worst is CVE-2021-34448, which lets a maliciously crafted web folio harbor a booby-trapped file that can execute code on a Windows machine when downloaded via the web browser.

The user would accept to exist tricked into clicking a link to start the exploit procedure, but that's not a huge obstacle to many attackers.

"In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability," Microsoft wrote in a security bulletin .

"However, an attacker would have no mode to strength the user to visit the website. Instead, an aggressor would have to convince the user to click a link, typically past way of an enticement in an electronic mail or Instant Messenger bulletin, so convince the user to open the peculiarly crafted file."

Local access required

The other two actively exploited zero-days (CVE-2021-31979 and 33771) crave local admission — the attacker would accept to be on or using the machine, or perhaps using the local network. Even so, malware that gets onto a car by other means could use the flaws.

Both are "escalation of privilege" vulnerabilities in the Windows kernel, and could be used to requite a depression-privilege user or process authoritative or system privileges that they shouldn't have.

Of the five zero-days that aren't being actively exploited, three affect only servers, and so we'll skip those.

I of the two others (CVE-2021-33781) is a security-feature bypass, which implies maybe getting into something without a password or authorization, although Microsoft isn't providing many details, other than that it tin can be exploited over the net.

The other (CVE-2021-34492) lets an assail false a Windows certificate, a form of digital signature used to verify actuality. It, too, is exploitable online, though Microsoft thinks the overall adventure is low.

We're not going to get into the 108 other flaws being stock-still, other than to note that 10 of those are rated "Critical" and let installation and execution of malicious lawmaking over the net. (You lot can read the unabridged July 2021 Microsoft security bulletin online.) So, um, patch those PCs.

More than: Here's why Windows 11 looks a bit like macOS

Paul Wagenseil is a senior editor at Tom'south Guide focused on security and privacy. He has likewise been a dishwasher, fry melt, long-haul driver, code monkey and video editor. He's been rooting around in the data-security space for more than fifteen years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and fifty-fifty moderated a console discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.