Microsoft has pushed out fixes for 117 security flaws, including up to nine "zero-day" flaws, in software products including Windows 10 and Microsoft Office. Users of Windows 10, Windows 8.1 and those users of Windows 7 paying for extra security updates will want to run Windows Update as soon as possible to install the fixes.
If your Windows box doesn't bug you to run Windows Update, then click the Windows logo in the bottom left corner, click Settings and click Updates and Security. Then click Check for Updates and follow the screen prompts.
- What you need to know about the Windows 'PrintNightmare' exploit
- How to install Windows 11 — a step-by-step guide
- Plus: Windows 11's most exciting gaming feature is coming to Windows 10
Depending how you define "zero-day," there are either four or nine of these fix-'em-now flaws being patched for the July Patch Tuesday round. All nine were publicly disclosed before Microsoft had a chance to craft a fix for any of them, but to the software maker's knowledge, only four were being used "in the wild" to attack Windows users.
Among them is PrintNightmare (catalogue number CVE-2021-34527), a flaw in the Print Spooler software that sends print jobs to networked printers. It was publicly disclosed by accident in late June by a security firm that misunderstood a Microsoft bulletin and thought the flaw had been fixed.
It hadn't been, and attackers used the proof-of-concept exploit that was briefly posted on Twitter to stage real-life attacks. Microsoft issued an emergency patch for PrintNightmare last week, but some security experts said it didn't completely fix the flaw. Microsoft disagrees and is including the fix in this month's security rollup for those people who didn't install it last week.
Booby-trapped file
Of the other three actively exploited zero-days, the worst is CVE-2021-34448, which lets a maliciously crafted web page harbor a booby-trapped file that can execute code on a Windows machine when downloaded via the web browser.
The user would have to be tricked into clicking a link to start the exploit process, but that's not a huge obstacle to many attackers.
"In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability," Microsoft wrote in a security bulletin .
"However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file."
Local access required
The other two actively exploited zero-days (CVE-2021-31979 and 33771) require local access — the attacker would have to be on or using the machine, or possibly using the local network. However, malware that gets onto a machine by other means could use the flaws.
Both are "escalation of privilege" vulnerabilities in the Windows kernel, and could be used to give a low-privilege user or process administrative or system privileges that they shouldn't have.
Of the five zero-days that aren't being actively exploited, three affect only servers, so we'll skip those.
One of the two others (CVE-2021-33781) is a security-feature bypass, which implies possibly getting into something without a password or authorization, although Microsoft isn't providing many details, other than that it can be exploited over the internet.
The other (CVE-2021-34492) lets an attack fake a Windows certificate, a form of digital signature used to verify authenticity. It, too, is exploitable online, though Microsoft thinks the overall risk is low.
We're not going to get into the 108 other flaws being fixed, other than to note that 10 of those are rated "Critical" and permit installation and execution of malicious code over the internet. (You can read the entire July 2021 Microsoft security bulletin online.) So, um, patch those PCs.
