Please update your home PCs, Windows users, because there is a nasty security flaw that is already being used in online attacks. Microsoft released a fix for the vulnerability in yesterday’s monthly reporting round (December 14). Patch Tuesday Updates.
The zero-day flaw, cataloged as CVE-2021-43890, is apparently being used by cybercriminals to spread malware that steals sensitive information from PCs and tries to get you to call fake tech support lines. Windows 10 and Windows 11 are equally vulnerable.
The fault comes from a problem with Windows Application installation tool, which can also be downloaded from the Microsoft online store.
“Microsoft is aware of attacks attempting to exploit this vulnerability by using specially crafted packages that include the family of malware known as Emotet/Trickbot/Bazaloader,” the security advisory posted about the flaw said.
“An attacker could create a malicious attachment to use in phishing campaigns,” the advisory added. “The attacker would have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights in the system might be less affected than users operating with administrative user rights.”
How to protect yourself
That last sentence highlights one of the lesser-known, but more effective, security measures that Windows users can implement. If you set up your regular “daily driver” Windows account as a “limited user” who can’t install or modify software, you run much less risk of your computer being hacked badly.
Your administrative account may remain inactive. Even when you need to update things, you can use the admin account password to get things done without having to log in completely.
Anyway, to update your Windows machine, click the Windows icon at the bottom left of the screen (or bottom center if you’re running Windows 11), then the gear icon in the popup menu . This takes you to the Windows Settings screen; click Update & security, then click the Check for updates button.
If you want updates to be installed automatically, click Advanced Options while on that page and change the appropriate entry.
Microsoft fixed another 66 defects in its various software packages yesterday, including five other vulnerabilities that were also classified as zero-days because word got out before fixes were ready. The flaw described in detail above is the only one of the bunch that we know is already being exploited.
One of the most serious non-zero-day flaws involves remote code execution (ie hacking the internet for you and me) in Microsoft Office. While the app installer flaw has a severity score of 7.1 out of 10, this one has a severity score of 9.6.
Microsoft doesn’t provide many details about this flaw, presumably because the software giant doesn’t want anyone to figure out how to exploit it before most people have had a chance to install the patch.