Urgent Microsoft Windows security warning for millions — 10 critical zero-days found
Hackers are currently using six of these critical flaws in their attacks
Microsoft has released its latest round of Patch Tuesday updates which address 90 security flaws in total including 10 zero-days — and of these, six are actively being exploited by hackers in their attacks.
As reported by The Hacker News, of these 90 flaws, 9 have a critical rating while the other 80 are rated as important. At the same time, Microsoft has also patched 36 vulnerabilities in its Edge browser since last month.
If you own one of the best Windows laptops or a desktop running Windows, you should install these new patches immediately to avoid falling victim to any attacks exploiting them. Here’s everything you need to know about August’s Patch Tuesday updates along with some tips on how to keep your PC safe from hackers.
Actively exploited zero-days
Although this month’s Patch Tuesday updates fix 10 zero-day flaws overall, six of them are currently being used by hackers in their attacks:
- Microsoft Project Remote Code Execution Vulnerability (tracked as CVE-2024-38189)
- Windows Scripting Engine Memory Corruption Vulnerability (tracked as CVE-2024-38178)
- Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (tracked as CVE-2024-38193)
- Windows Kernel Elevation of Privilege Vulnerability (tracked as CVE-2024-38106)
- Windows Power Dependency Coordinator Elevation of Privilege Vulnerability (tracked as CVE-2024-38107)
- Windows Mark of the Web Security Feature Bypass Vulnerability (tracked as CVE-2024-38213)
While the first flaw listed above is the most severe with a CVSS score of 8.8, the last one is probably the most notable as it allows hackers to bypass Microsoft’s SmartScreen protections in Windows by tricking an unsuspecting user into opening a malicious file. This vulnerability has also caught the attention of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) which is now requiring that federal agencies patch it by the beginning of September.
In a blog post, the cybersecurity firm Tenable highlighted a Microsoft Office spoofing vulnerability (tracked as CVE-2024-38200) that was also fixed in the latest Patch Tuesday updates. By sending a phishing email with a specially crafted file, a hacker could exploit this flaw to use in their attacks.
Unfortunately, Microsoft has yet to release a fix for two escalation of privilege vulnerabilities (tracked as CVE-2024-38202 and CVE-2024-21302), which could be used to downgrade Windows systems to an earlier version of the operating system to launch additional attacks. However, when contacted by The Hacker News, Microsoft said that it would consider patching these flaws in a future update.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
How to keep your Windows PC safe from hackers
The easiest way to keep your PC protected is to install the latest updates as soon as they become available. The reason being is that hackers often target users running outdated software in their attacks.
From here, you should also consider using the best antivirus software to stay safe from malware and other viruses. Windows Defender has improved significantly over the years and is now much better at detecting and stopping malware. However, paid antivirus software often also comes with useful extras like a VPN or password manager for additional protection.
You also want to avoid clicking on links or downloading any attachments in emails from unknown senders as they can contain malware. Likewise, when looking for new software online, you want to scroll down to the actual search results as hackers are now using ads to spread malware.
Hackers and companies like Microsoft play a constant game of cat and mouse with one another when it comes to patching vulnerabilities used in cyberattacks. However, if you update your computer regularly, think before clicking on suspicious links and don’t download files from less than reputable websites, you should be able to avoid falling victim to cyberattacks and other online scams.
Patch Tuesday updates are released on the second Tuesday of each month, so you should plan to update your Windows PC around that time to ensure that you’re running the latest software on your computer.
More from Tom's Guide
- FBI issues warning over scammers impersonating banks to steal debit cards
- 2.9 billion hit in one of the largest data breaches ever
- Chrome, Safari and other browsers vulnerable to 0.0.0.0 Day vulnerability
Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.
-
Fox Tread3 August 14, 2024 - Ahhh.. yesss.. the famous.. infamous Windows "Updates". Yeeehhh!! The good news is that the Win11 "udate" didn't "break" anything on my Win11 machine, but I wish that was the case with my Win10 machine, (which I still run because Microsoft says it's garbage, and can't run Win11 🤨 ). Anyway(s)😏 the Win10 "updates" managed as usual to trifle with my sound settings on my Win10 machine, and even taking the precaution previously of creating a "System Restore points" prior to installing the current "updates"., didn't help. I have no sound on my Win10 machine at the moment. I assume at some point the problem will be rectified, but this is exactly why I have more than one Windows full tower desktop computer, along with a Chromebook, and an Apple Mac Mini. My next step at some point is to get a second different ISP account in case my present one goes offline as it has it does occasionally. Life ain't cheap in the first world.😏Reply