Stop reading this, and update your PC now! Microsoft races to fix 61 flaws unearthed in Windows 10 and 11
MICROSOFT PRESS OFFICE | GBN
Of the 61 vulnerabilities, two have been classified as zero-day flaws
It's never a good idea to ignore a software update, but that's especially true with the latest release by Microsoft.
The latest security update is designed to fix known vulnerabilities in Microsoft Office, Windows 10, and Windows 11 that hackers use to attack PC owners. This is known as a zero-day flaw and is the most dangerous type of vulnerability since scammers know how to leverage them to wreak havoc.
That means it's a race against time for users to update to the latest patch ― and stop hackers in their tracks.
Microsoft has included the fix for the zero-day flaws in its monthly security updates for Windows 10, Windows 11, and its Edge web browser. In total, these updates will patch 61 flaws unearthed across its products.
The latest security updates are rolling out to PCs now. Microsoft typically releases fixes for flaws in its products on the second Tuesday of every month, dubbed Patch Tuesday. The latest release started on May 14, 2024 but might take a few days to reach your Windows device.
Most laptops and desktop PCs will update their operating system automatically. However, it's possible to speed up the process, by heading to Settings > Windows Update, and clicking on Check For Updates to manually kickstart the process.
Because of the severity of these flaws, Microsoft has made this latest patch mandatory — so as soon as your PC discovers there's a pending update, it will automatically start installing.
There's no need to do anything else.
Microsoft has used the codes CVE-2024-30040 and CVE-2024-30051 for the zero-day flaws in its products.
"An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user," Microsoft cautions in an advisory for CVE-2024-30040.
For hackers to successfully use this flaw, they'd need to convince you to receive a specifically crafted file sent via email or instant messaging. There's no need to open the file for hackers to infect your machine — but the file would have to be created for your exact system. That means it's less likely to impact everyday users, but could pose a huge risk for celebrities, politicians, and industry leaders.
The second zero-day flaw, CVE-2024-30051, enables hackers to gain system privileges on your PC. That enables them to take remote control of your laptop or desktop PC, install applications from anywhere in the world, track the keystrokes on your keyboard, and film through your webcam.
Three separate groups of researchers — from Kaspersky, DBAPPSecurity WeBin Lab, Google Threat Analysis Group, and Mandiant — have been credited with spotting and reporting the flaw to Microsoft, suggesting this one is being used a lot in the wild.
Speaking about the flaw, Kaspersky researchers Boris Larin and Mert Degirmenci wrote in a blog post: "After sending our findings to Microsoft, we began to closely monitor our statistics in search of exploits and attacks that exploit this zero-day vulnerability, and in mid-April we discovered an exploit for this zero-day vulnerability.
"We have seen it used together with QakBot and other malware, and believe that multiple threat actors have access to it."
Due to the severity of these vulnerabilities, both have been listed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in its database of Known Exploited Vulnerabilities (also known as KEV), requiring federal agencies to apply the latest fixes by June 4.
LATEST DEVELOPMENTS
Microsoft is tight-lipped on the exact details of how these flaws work since giving too much away could possibly lead to a spate of copycat attacks from other scam artists. We'll undoubtedly find out more details in the coming weeks and months.
In the meantime, install the latest update and protect your PC and data.