Skip to main content

Microsoft fixes six zero-day flaws in Windows 10 — update right now

Windows 10 button
(Image credit: Wachiwit/Shutterstock)

You'd better implement the software patches that Microsoft released yesterday (June 8) if you're running any recent version of Windows, because this month's Patch Tuesday updates include fixes for six different "zero-day" flaws that are already being exploited by attackers in the wild.

The worst of the bunch (assigned the catalogue number CVE-2021-33742) lets malicious web pages hack into PCs via Internet Explorer and other Microsoft programs. Microsoft Edge is also affected when it is in "Internet Explorer mode," according to the Microsoft description of the flaw, which labels it "Critical."

Google's Threat Analysis Group discovered that flaw only last week. Yesterday (June 8) Google's Shane Huntley tweeted that the attacks using the flaw seem to have been developed by a commercial hacking group for a nation-state in the Middle East or Eastern Europe.

See more

Speaking of Google, two of the other zero-day flaws (CVE-2021-31955 and 31956) were used in conjunction with Chrome flaws as part of "a wave of highly targeted attacks against multiple companies" in April, according to Kaspersky researchers. The Chrome flaws were fixed in a flurry of security updates to that browser later in that month.

A Kaspersky press release said the company had "yet to find any connection between these attacks and any known threat actors." Kaspersky is calling the previously unknown group "Puzzle Maker."

Two more of the patched zero-days (CVE-2021-31199 and 31201) seem to have been used in conjunction with an Adobe Reader flaw that was fixed last month. As with the Chrome attacks, the Reader flaw got the attacker onto the system, and the Microsoft flaws then permitted the attacker to "elevate privileges" to fully take control. 

The sixth zero-day (CVE-2021-33739) is also an elevation-of-privileges flaw. Microsoft's notes don't provide many details, but say the flaw could be used once an attacker has gained a foothold on a machine via a phishing attack or other means.

You can tell Microsoft takes these zero-day flaws very seriously because it's patching Windows 7 as well as Windows 8.1 and Windows 10, where applicable. 

Windows 7 officially reached the end of support in January 2020 and wasn't supposed to get any more patches after that. But Microsoft has been quietly fixing the worst flaws in Windows 7 in several recent Patch Tuesday updates.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.