If you don’t have your PC set to automatically update, it’s probably a good time to force a manual patching. Microsoft’s latest Patch Tuesday update (opens in new tab) includes a staggering 128 fixes for vulnerabilities not just in Windows, but in Office, Edge, Azure and Skype for Business.
More concerning, the update contains two fixes for zero-day vulnerabilities, one of which was reported by the NSA, and is reportedly under active attack. The issue in question — CVE-2022-24521 (opens in new tab) — is a “privilege escalation” exploit in the Windows common log file system driver.
“It’s not stated how widely the exploit is being used in the wild, but it’s likely still targeted at this point and not broadly available,” writes Trend Micro’s Dustin Childs on the Zero Day Initiative blog (opens in new tab). “Go patch your systems before that situation changes.”
That sounds scary, but the zero-day ‘only’ warrants a CVSS score of 7.8 (10 is the highest), likely because while it can gain admin-level privileges, it can only do so on a logged-in machine. The other zero day — CVE-2022-26905 (opens in new tab) — gets a score of 7.0 and has yet to be exploited, though that could change soon given its already been publicly disclosed.
In all, Microsoft brands three of the bugs “moderate” and 115 “important”, while ten of them are serious enough to earn the “critical” severity label. Of those, three wormable threats have the dubious honor of achieving CVSS scores of 9.8, with Microsoft believing exploitation is likely.
“These could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data,” Immersive Labs’ director of cyber threat research, Kevin Breen, tells Krebs on Security (opens in new tab).
What to do now
If you’ve got automatic updates enabled, Windows will hopefully have patched these nasties from your system before they can do any damage. But given the seriousness of the multiple threats, it doesn’t hurt to check, so here’s a refresher on how to update your Windows PC.
On Windows 10, click Start > Settings > Updates & Security > Windows Update. If you’ve updated to Windows 11, the path is simpler: Start > Settings > Windows Update.
Whichever OS you’re on, available patches will appear in the corresponding window, giving you the chance to update right away. You’ll likely require a restart once downloaded and installed, so be sure to back up all your work before proceeding.