Windows 10 security alert: Update now if you don't want your PC to crash

News
By published

This is one Windows 10 update you should not wait on

Update Windows 10 now if you don't want your PC to crash
Not the actual Blue Screen of Death. (Image credit: Shutterstock)

This Windows 10 update news isn't just good news. It's a reason to update your PC right now. Without it, someone or something could hit your computer with the Blue Screen of Death (BSoD if you're short on words) just by getting you to try to open a nonexistent folder.

This news comes from Bleeping Computer, which notes that the February 2021 Patch Tuesday download (released on February 9) contains a fix to the bug that Microsoft is tracking under the Common Vulnerabilities and Exposures (CVE) tag CVE-2021-24098

We reported on the flaw and tested out the exploit when it was first discovered less than a month ago — and it's legit. We do not know if it's been actively exploited "in the wild," but now that it's being publicized, it's not time to wait and find out. 

Dubbed 'Windows Console Driver Denial of Service Vulnerability" by Microsoft, the flaw has only one upside: it requires user interaction — and cannot be performed without your involvement. 

Microsoft's documentation notes that the "web-based attack scenario" could see a website used to deliver a filepath that exploits the flaw, so you'd just need to have a way to get someone to open the web page. 

Unfortunately, as anyone who has been the victim of a phishing attack has experienced, it's not difficult to get your average user to open a link. 

It could be sent in a breathlessly-worded email or text from their bank compelling them to fix something in their account, or something less dramatic, like a message promoting information about the Covid-19 vaccines or the third stimulus check.

Or it could be buried in a harmless-looking web page. Just clicking on a malicious link might crash your PC, although there likely wouldn't be any permanent damage.

Fix it now with a Windows 10 update

The February 2021 Patch Tuesday update is available to users via one of 20 different updates, listed at the bottom of their CVE-2021-24098 page here.

To update your machine, follow these simple steps.

  • Select the Start/Windows button from the bottom left corner.
  • Select the settings/gear button above the power button.
  • Select the Update and Security button.
  • Tap or click Windows Update in the left menu.
  • Tap or click Check for Updates if you don't see any available.
  • Your updates should begin downloading. Make sure your active projects are saved, and agree to restart once the updates are downloaded.

How the exploit works

This flaw is exploited by getting a user to try to open the below directory:
\\.\globalroot\device\condrv\kernelconnect

That's a local directory, which means users do not even need to download a file to have their system crashed. Yes, web browsers don't just navigate the internet: they can also browse system files. 

A flaw in how Windows 10 performed error checking pushes the user directly to a system crash. 

This flaw was discovered by researcher Jonas Lykkegaard, who explained it all in his Twitter feed. At the time, Microsoft told Bleeping Computer that it "has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible."

And now that we've explained how it works, and why you should run Windows Update ASAP, we're going to go make sure our systems are updated.

Henry T. Casey
Henry T. Casey

Henry was a managing editor at Tom’s Guide covering streaming media, laptops and all things Apple, reviewing devices and services for the past seven years. Prior to joining Tom's Guide, he reviewed software and hardware for TechRadar Pro, and interviewed artists for Patek Philippe International Magazine. He's also covered the wild world of professional wrestling for Cageside Seats, interviewing athletes and other industry veterans.