Update your home PCs, Windows users, because there's a nasty security flaw out there that's already being used in online attacks. Microsoft pushed out a fix for the vulnerability in yesterday's (Dec. 14) round of monthly Patch Tuesday updates.
The "zero-day" flaw, catalogued as CVE-2021-43890, is apparently being used by cybercriminals to spread malware that steals sensitive information from PCs and tries to get you to call fake tech-support lines. Windows 10 and Windows 11 are equally vulnerable.
The flaw stems from an issue with with the Windows App Installer tool, which can also be downloaded from the online Microsoft Store.
"Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader," said the security advisory released about the flaw.
"An attacker could craft a malicious attachment to be used in phishing campaigns," the advisory added. "The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
How to protect yourself
That last sentence highlights one of the least-known, but most effective, security safeguards that Windows users can implement. If you set up your regular "daily driver" Windows account as a "limited user" that can't install or modify software, you are at much less risk of your computer being seriously hacked.
Your administrative account can stay dormant. Even when you do need to update things, you can just use the admin account's password to get things done without having to fully log into it.
Anyhow, to update your Windows machine, click the Windows icon on the bottom left of the screen (or the bottom center if you're running Windows 11), then the gear icon in the pop-up menu. This brings you to the Windows Settings screen; click Update and Security, then click the Check for Updates button.
If you want to have updates installed automatically, then click Advanced Options while you're on that page and toggle the appropriate entry.
Microsoft patched 66 other flaws in its various software packages yesterday, including five other vulnerabilities that were also classified as zero-days because word got out about them before fixes were ready. The flaw described in detail above is the only one of the bunch that we know is already being exploited.
One of the most serious flaws that's not a zero-day involves remote code execution — that's hacking over the internet to you and me — in Microsoft Office. While the App Installer flaw has a severity score of 7.1 out of 10, this one rates a 9.6.
Microsoft isn't providing many details about this flaw, presumably because the software giant doesn't want anyone figuring out how to exploit it before most people have had a chance to install the patch.