Your PC needs another update. Microsoft just released its April 2024 patch for Windows, which contains fixes for a whopping 149 flaws. While all of these vulnerabilities are important to patch as soon as possible, this update is particularly critical, as two of the 149 flaws are zero-days.

Zero-day vulnerabilities are security flaws that have a known exploit in the wild. That means that at least someone, somewhere not only knows about the vulnerability, but also has exploited it against others. This April 2024 update patches two such zero-days, which means your PC is especially vulnerable to these exploits until you install the patch.

The first zero-day, tracked as CVE-2024-26234, is a proxy driver spoofing vulnerability. Microsoft won’t disclose any more information about the vulnerability, but the cybersecurity firm Sophos says it identified a malicious executable file (Catalog.exe) that Microsoft Windows Hardware Compatibility Publisher signed. This executable file is tied to the publisher Hainan YouHu Technology Co. Ltd, which also publishes LaiXi Android Screen Mirroring, used for controlling batches of smartphones for mass social media marketing activities.

The malicious file is embedded in an authentication program, which now contains an effective backdoor that can manage network traffic on the victim’s system. Sophos says there’s no evidence LaiXi intended to embed the malware into their program, nor is there evidence bad actors embedded it themselves, so it’s not clear how this happened.

The second zero-day, tracked as CVE-2024-26234, is a SmartScreen prompt security feature bypass vulnerability, which lets bad actors get around your PC’s Microsoft Defender Smartscreen systems. Bad actors could send the malicious file through email or another message platform, and would need to trick victims into opening their malicious file using a launcher that bypasses system UI.

Both of these zero-days are reasons to install the patch immediately, but there are plenty of other vulnerabilities patched that make this an important update. One flaw would allow bad actors to steal credentials from a system through Microsoft Azure Kubernetes Service Confidential Container. While Microsoft isn’t aware of an active exploit for this flaw in the wild, you shouldn’t leave yourself vulnerable for when someone figures out how to exploit it.

How to install the April 2024 patch on your PC

To install this patch on your PC, head to Start > Settings > Windows Update (Windows 11) or Start > Settings > Update & Security > Windows Update (Windows 10), then hit Check for updates. Once you see the update, install it.