Microsoft fixes dozens of Windows 10 security flaws — here's what to do

Windows 10
(Image credit: Charnsitr/Shutterstock)

Microsoft has pushed out fixes for 117 security flaws, including up to nine "zero-day" flaws, in software products including Windows 10 and Microsoft Office. Users of Windows 10, Windows 8.1 and those users of Windows 7 paying for extra security updates will want to run Windows Update as soon as possible to install the fixes.

If your Windows box doesn't bug you to run Windows Update, then click the Windows logo in the bottom left corner, click Settings and click Updates and Security. Then click Check for Updates and follow the screen prompts.

Depending how you define "zero-day," there are either four or nine of these fix-'em-now flaws being patched for the July Patch Tuesday round. All nine were publicly disclosed before Microsoft had a chance to craft a fix for any of them, but to the software maker's knowledge, only four were being used "in the wild" to attack Windows users.

Among them is PrintNightmare (catalogue number CVE-2021-34527), a flaw in the Print Spooler software that sends print jobs to networked printers. It was publicly disclosed by accident in late June by a security firm that misunderstood a Microsoft bulletin and thought the flaw had been fixed. 

It hadn't been, and attackers used the proof-of-concept exploit that was briefly posted on Twitter to stage real-life attacks. Microsoft issued an emergency patch for PrintNightmare last week, but some security experts said it didn't completely fix the flaw. Microsoft disagrees and is including the fix in this month's security rollup for those people who didn't install it last week.

Booby-trapped file

Of the other three actively exploited zero-days, the worst is CVE-2021-34448, which lets a maliciously crafted web page harbor a booby-trapped file that can execute code on a Windows machine when downloaded via the web browser. 

The user would have to be tricked into clicking a link to start the exploit process, but that's not a huge obstacle to many attackers.

"In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability," Microsoft wrote in a security bulletin

"However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file."

Local access required

The other two actively exploited zero-days (CVE-2021-31979 and 33771) require local access — the attacker would have to be on or using the machine, or possibly using the local network. However, malware that gets onto a machine by other means could use the flaws. 

Both are "escalation of privilege" vulnerabilities in the Windows kernel, and could be used to give a low-privilege user or process administrative or system privileges that they shouldn't have.

Of the five zero-days that aren't being actively exploited, three affect only servers, so we'll skip those. 

One of the two others (CVE-2021-33781) is a security-feature bypass, which implies possibly getting into something without a password or authorization, although Microsoft isn't providing many details, other than that it can be exploited over the internet. 

The other (CVE-2021-34492) lets an attack fake a Windows certificate, a form of digital signature used to verify authenticity. It, too, is exploitable online, though Microsoft thinks the overall risk is low.

We're not going to get into the 108 other flaws being fixed, other than to note that 10 of those are rated "Critical" and permit installation and execution of malicious code over the internet. (You can read the entire July 2021 Microsoft security bulletin online.) So, um, patch those PCs.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
How to disable the Windows key
Microsoft patches over 160 security flaws including 3 active zero days — update your PC right now
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
A laptop on a windowsill in the middle of a Windows update
Microsoft is ending support for Windows 10 soon — 5 ways to make sure your PC is secure
iPhone 16 Pro shown held in hand
Apple just patched its first zero-day flaw of the year — update your iPhone and Mac right now
Google Pixel 9 held in the hand.
Google just fixed a zero-day kernel flaw used by hackers and 47 other vulnerabilities — update your Android phone right now
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
Latest in Windows Operating Systems
Microsoft Office is finally as it should have been on iPad
Microsoft tests free Word, PowerPoint and Excel apps for Windows — expect a lot of ads
laptop anger
Latest Windows 11 update reportedly breaking major parts of the operating system
Windows 10 logo
Windows 10 end of life set for this year — everything you need to know to get ready
Windows 11 logo on a laptop screen
I reviewed Windows 11, and these are the 5 new features I'm most excited about for 2025
A Windows 11 laptop, demonstrating how to run Android apps on Windows 11
How to remove the Windows 11 news and weather widget
Man typing on Windows 11 laptop
Microsoft confirms major Windows 11 and Windows 10 audio bug is cutting sound on PCs
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Monday, March 17 (#645)
iPhone 17 Air render
New leaked iPhone 17 dummy units show off super-thin iPhone 17 Air with this surprising design tweak
Simone Ashley and Hero Fiennes Tiffin in "Picture This" now streaming on Prime Video
Prime Video top 10 has 3 must-watch movies — including a bubbly romcom starring 'Bridgerton's' Simone Ashley
(L-R) Josh Hartnett as Cooper and Ariel Donoghue as Riley in "Trap"
Netflix top 10 movies — here’s the 3 worth watching right now
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #379 (Monday, March 17 2025)
iOS 19 logo on an iPhone
Apple WWDC 2025: iOS 19 and everything we know so far