Patch Tuesday is once again upon us: Microsoft releases a big security patch on the second Tuesday of each month, containing fixes for any vulnerabilities the company discovered since the previous month’s patch. While it’s always important to keep your PC updated with the latest security patches, this Patch Tuesday is particularly essential.
Microsoft patched a whopping 90 security flaws with this latest update. 10 of these vulnerabilities are zero-days, a type of security vulnerability in which the vulnerability is discovered before a developer has the chance to patch it. Of those 10, six have been actively exploited in the wild, which means at least some bad actors have used these flaws to target vulnerable systems. It’s only a matter of time before they figure out how to exploit the other four.
These are the 10 zero-days identified in the update. The six exploited flaws are in bold:
CVE-2024-38106: Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-38107: Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
CVE-2024-38189: Microsoft Project Remote Code Execution Vulnerability
CVE-2024-38193: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2024-38213: Windows Mark of the Web Security Feature Bypass Vulnerability
CVE-2024-38178: Scripting Engine Memory Corruption Vulnerability
CVE-2024-38200: Microsoft Office Spoofing Vulnerability
CVE-2024-38199: Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability
CVE-2024-21302: Windows Secure Kernel Mode Elevation of Privilege Vulnerability
CVE-2024-38202: Windows Update Stack Elevation of Privilege Vulnerability
Hackers can exploit vulnerabilities like this in a variety of ways, depending on the type of security flaw they’re taking advantage of. According to The Hacker News, actively exploited flaw CVE-2024-38213 enables bad actors to get around Microsoft Defender’s SmartScreen, which protects against malware and phishing schemes. All a target needs to do is process a malicious file, which a bad actor may send via email. Perhaps your “boss” needs you to open this important Excel document. When you do, however, it runs the scripts necessary to exploit this flaw.
But even flaws that aren’t zero-days pose risks: Now that Microsoft has documented 80 other security flaws patched in this update, bad actors may figure out how to exploit them, and can target PCs that haven’t updated yet. Installing the update ensures these vulnerabilities are patched on your machine, so you don’t need to worry about leaving yourself open to future exploits—at least, for these known security flaws.
This patch applies to both Windows 10 and Windows 11. Even if you haven’t upgraded your PC to Microsoft’s latest OS, you can and should install the latest security updates ASAP.
How to install this latest Windows security patch
Your PC may have installed this update automatically, but it might take some time to do so on its own. Here’s how to install it manually, or check whether it was installed already:
If you’re running Windows 11, head to Start > Settings > Windows Update. If you’re on Windows 10, go to Start > Settings > Update & Security > Windows Update > Check for updates. If the update is available, you can download and install it from here.