Microsoft has released its latest round of Patch Tuesday updates which address 90 security flaws in total including 10 zero-days — and of these, six are actively being exploited by hackers in their attacks.
As reported by The Hacker News, of these 90 flaws, 9 have a critical rating while the other 80 are rated as important. At the same time, Microsoft has also patched 36 vulnerabilities in its Edge browser since last month.
If you own one of the best Windows laptops or a desktop running Windows, you should install these new patches immediately to avoid falling victim to any attacks exploiting them. Here’s everything you need to know about August’s Patch Tuesday updates along with some tips on how to keep your PC safe from hackers.
Actively exploited zero-days
Although this month’s Patch Tuesday updates fix 10 zero-day flaws overall, six of them are currently being used by hackers in their attacks:
- Microsoft Project Remote Code Execution Vulnerability (tracked as CVE-2024-38189)
- Windows Scripting Engine Memory Corruption Vulnerability (tracked as CVE-2024-38178)
- Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (tracked as CVE-2024-38193)
- Windows Kernel Elevation of Privilege Vulnerability (tracked as CVE-2024-38106)
- Windows Power Dependency Coordinator Elevation of Privilege Vulnerability (tracked as CVE-2024-38107)
- Windows Mark of the Web Security Feature Bypass Vulnerability (tracked as CVE-2024-38213)
While the first flaw listed above is the most severe with a CVSS score of 8.8, the last one is probably the most notable as it allows hackers to bypass Microsoft’s SmartScreen protections in Windows by tricking an unsuspecting user into opening a malicious file. This vulnerability has also caught the attention of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) which is now requiring that federal agencies patch it by the beginning of September.
In a blog post, the cybersecurity firm Tenable highlighted a Microsoft Office spoofing vulnerability (tracked as CVE-2024-38200) that was also fixed in the latest Patch Tuesday updates. By sending a phishing email with a specially crafted file, a hacker could exploit this flaw to use in their attacks.
Unfortunately, Microsoft has yet to release a fix for two escalation of privilege vulnerabilities (tracked as CVE-2024-38202 and CVE-2024-21302), which could be used to downgrade Windows systems to an earlier version of the operating system to launch additional attacks. However, when contacted by The Hacker News, Microsoft said that it would consider patching these flaws in a future update.
How to keep your Windows PC safe from hackers
The easiest way to keep your PC protected is to install the latest updates as soon as they become available. The reason being is that hackers often target users running outdated software in their attacks.
From here, you should also consider using the best antivirus software to stay safe from malware and other viruses. Windows Defender has improved significantly over the years and is now much better at detecting and stopping malware. However, paid antivirus software often also comes with useful extras like a VPN or password manager for additional protection.
You also want to avoid clicking on links or downloading any attachments in emails from unknown senders as they can contain malware. Likewise, when looking for new software online, you want to scroll down to the actual search results as hackers are now using ads to spread malware.
Hackers and companies like Microsoft play a constant game of cat and mouse with one another when it comes to patching vulnerabilities used in cyberattacks. However, if you update your computer regularly, think before clicking on suspicious links and don’t download files from less than reputable websites, you should be able to avoid falling victim to cyberattacks and other online scams.
Patch Tuesday updates are released on the second Tuesday of each month, so you should plan to update your Windows PC around that time to ensure that you’re running the latest software on your computer.
More from Tom's Guide
- FBI issues warning over scammers impersonating banks to steal debit cards
- 2.9 billion hit in one of the largest data breaches ever
- Chrome, Safari and other browsers vulnerable to 0.0.0.0 Day vulnerability
