Microsoft fixes dozens of Windows 10 security flaws — here's what to do

Windows 10
(Image credit: Charnsitr/Shutterstock)

Microsoft has pushed out fixes for 117 security flaws, including up to nine "zero-day" flaws, in software products including Windows 10 and Microsoft Office. Users of Windows 10, Windows 8.1 and those users of Windows 7 paying for extra security updates will want to run Windows Update as soon as possible to install the fixes.

If your Windows box doesn't bug you to run Windows Update, then click the Windows logo in the bottom left corner, click Settings and click Updates and Security. Then click Check for Updates and follow the screen prompts.

Depending how you define "zero-day," there are either four or nine of these fix-'em-now flaws being patched for the July Patch Tuesday round. All nine were publicly disclosed before Microsoft had a chance to craft a fix for any of them, but to the software maker's knowledge, only four were being used "in the wild" to attack Windows users.

Among them is PrintNightmare (catalogue number CVE-2021-34527), a flaw in the Print Spooler software that sends print jobs to networked printers. It was publicly disclosed by accident in late June by a security firm that misunderstood a Microsoft bulletin and thought the flaw had been fixed. 

It hadn't been, and attackers used the proof-of-concept exploit that was briefly posted on Twitter to stage real-life attacks. Microsoft issued an emergency patch for PrintNightmare last week, but some security experts said it didn't completely fix the flaw. Microsoft disagrees and is including the fix in this month's security rollup for those people who didn't install it last week.

Booby-trapped file

Of the other three actively exploited zero-days, the worst is CVE-2021-34448, which lets a maliciously crafted web page harbor a booby-trapped file that can execute code on a Windows machine when downloaded via the web browser. 

The user would have to be tricked into clicking a link to start the exploit process, but that's not a huge obstacle to many attackers.

"In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability," Microsoft wrote in a security bulletin

"However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file."

Local access required

The other two actively exploited zero-days (CVE-2021-31979 and 33771) require local access — the attacker would have to be on or using the machine, or possibly using the local network. However, malware that gets onto a machine by other means could use the flaws. 

Both are "escalation of privilege" vulnerabilities in the Windows kernel, and could be used to give a low-privilege user or process administrative or system privileges that they shouldn't have.

Of the five zero-days that aren't being actively exploited, three affect only servers, so we'll skip those. 

One of the two others (CVE-2021-33781) is a security-feature bypass, which implies possibly getting into something without a password or authorization, although Microsoft isn't providing many details, other than that it can be exploited over the internet. 

The other (CVE-2021-34492) lets an attack fake a Windows certificate, a form of digital signature used to verify authenticity. It, too, is exploitable online, though Microsoft thinks the overall risk is low.

We're not going to get into the 108 other flaws being fixed, other than to note that 10 of those are rated "Critical" and permit installation and execution of malicious code over the internet. (You can read the entire July 2021 Microsoft security bulletin online.) So, um, patch those PCs.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.