Skip to main content

Microsoft fixes six zero-day flaws in Windows 10 — update right now

Windows 10 button
(Image credit: Wachiwit/Shutterstock)

You'd better implement the software patches that Microsoft released yesterday (June 8) if you're running any recent version of Windows, because this month's Patch Tuesday updates include fixes for six different "zero-day" flaws that are already being exploited by attackers in the wild.

The worst of the bunch (assigned the catalogue number CVE-2021-33742) lets malicious web pages hack into PCs via Internet Explorer and other Microsoft programs. Microsoft Edge is also affected when it is in "Internet Explorer mode," according to the Microsoft description of the flaw, which labels it "Critical."

Google's Threat Analysis Group discovered that flaw only last week. Yesterday (June 8) Google's Shane Huntley tweeted that the attacks using the flaw seem to have been developed by a commercial hacking group for a nation-state in the Middle East or Eastern Europe.

See more

Speaking of Google, two of the other zero-day flaws (CVE-2021-31955 and 31956) were used in conjunction with Chrome flaws as part of "a wave of highly targeted attacks against multiple companies" in April, according to Kaspersky researchers. The Chrome flaws were fixed in a flurry of security updates to that browser later in that month.

A Kaspersky press release said the company had "yet to find any connection between these attacks and any known threat actors." Kaspersky is calling the previously unknown group "Puzzle Maker."

Two more of the patched zero-days (CVE-2021-31199 and 31201) seem to have been used in conjunction with an Adobe Reader flaw that was fixed last month. As with the Chrome attacks, the Reader flaw got the attacker onto the system, and the Microsoft flaws then permitted the attacker to "elevate privileges" to fully take control. 

The sixth zero-day (CVE-2021-33739) is also an elevation-of-privileges flaw. Microsoft's notes don't provide many details, but say the flaw could be used once an attacker has gained a foothold on a machine via a phishing attack or other means.

You can tell Microsoft takes these zero-day flaws very seriously because it's patching Windows 7 as well as Windows 8.1 and Windows 10, where applicable. 

Windows 7 officially reached the end of support in January 2020 and wasn't supposed to get any more patches after that. But Microsoft has been quietly fixing the worst flaws in Windows 7 in several recent Patch Tuesday updates.

Paul Wagenseil
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. That's all he's going to tell you unless you meet him in person.
  • Rounduptheusualsuspects
    I must be missing something. I read all 8 of the detail reports on all of these fixes.'

    Not a one mentions an issue with Windows 10.

    Every one mentions issues with Windows 8.x.

    What am I missing, other than any reference to Win 10 in the actual Microsoft articles?
    Reply