This Windows 10 update news isn't just good news. It's a reason to update your PC right now. Without it, someone or something could hit your computer with the Blue Screen of Death (BSoD if you're short on words) just by getting you to try to open a nonexistent folder.
This news comes from Bleeping Computer, which notes that the February 2021 Patch Tuesday download (released on February 9) contains a fix to the bug that Microsoft is tracking under the Common Vulnerabilities and Exposures (CVE) tag CVE-2021-24098.
- The best laptops, ranked
- Protect your PC with the best antivirus software
- Plus: Beware links to Discord's website — it could be malware
We reported on the flaw and tested out the exploit when it was first discovered less than a month ago — and it's legit. We do not know if it's been actively exploited "in the wild," but now that it's being publicized, it's not time to wait and find out.
Dubbed 'Windows Console Driver Denial of Service Vulnerability" by Microsoft, the flaw has only one upside: it requires user interaction — and cannot be performed without your involvement.
Microsoft's documentation notes that the "web-based attack scenario" could see a website used to deliver a filepath that exploits the flaw, so you'd just need to have a way to get someone to open the web page.
Unfortunately, as anyone who has been the victim of a phishing attack has experienced, it's not difficult to get your average user to open a link.
It could be sent in a breathlessly-worded email or text from their bank compelling them to fix something in their account, or something less dramatic, like a message promoting information about the Covid-19 vaccines or the third stimulus check.
Or it could be buried in a harmless-looking web page. Just clicking on a malicious link might crash your PC, although there likely wouldn't be any permanent damage.
Fix it now with a Windows 10 update
The February 2021 Patch Tuesday update is available to users via one of 20 different updates, listed at the bottom of their CVE-2021-24098 page here.
To update your machine, follow these simple steps.
- Select the Start/Windows button from the bottom left corner.
- Select the settings/gear button above the power button.
- Select the Update and Security button.
- Tap or click Windows Update in the left menu.
- Tap or click Check for Updates if you don't see any available.
- Your updates should begin downloading. Make sure your active projects are saved, and agree to restart once the updates are downloaded.
How the exploit works
This flaw is exploited by getting a user to try to open the below directory:
\\.\globalroot\device\condrv\kernelconnect
That's a local directory, which means users do not even need to download a file to have their system crashed. Yes, web browsers don't just navigate the internet: they can also browse system files.
A flaw in how Windows 10 performed error checking pushes the user directly to a system crash.
This flaw was discovered by researcher Jonas Lykkegaard, who explained it all in his Twitter feed. At the time, Microsoft told Bleeping Computer that it "has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible."
And now that we've explained how it works, and why you should run Windows Update ASAP, we're going to go make sure our systems are updated.