Windows users, update your home PCs. There is a nasty security flaw that is already being used in online attacks. Microsoft distributed a fix for this vulnerability in its monthly Patch Tuesday Update yesterday (December 14).

This "zero-day" flaw, cataloged as CVE-2021-43890, appears to be being used by cybercriminals to spread malware that attempts to steal sensitive information from PCs or force users to call fake technical support Windows 10 and Windows 11 are equally vulnerable. [The flaw stems from an issue with the Windows App Installer tool, which can also be downloaded from the online Microsoft Store.

"Microsoft is aware of an attack that attempts to exploit this vulnerability using a specially crafted package containing a family of malware known as Emotet/Trickbot/Bazaloader," the flaw's released The security advisory states. [Attackers can create malicious attachments used in phishing campaigns. [The attacker must persuade the user to open a specially crafted attachment. Accounts of users who are configured with fewer user privileges on the system may be less affected than users operating with administrator user privileges.

This last sentence highlights one of the lesser-known but most effective security safeguards that Windows users can implement. If a normal "daily driver" Windows account is set up as a "restricted user" who cannot install or modify software, the risk of a computer being seriously hacked is much lower.

The administrator account can be left dormant. Whenever an update is needed, the password for the administrator account can be used to update the software without having to log in.

Anyway, to update your Windows machine, click on the Windows icon in the lower left corner of the screen (lower center if you are running Windows 11) and click on the gear icon in the pop-up menu. Click on "Update and Security" and then click on the "Check for Updates" button.

If you want the updates to be installed automatically, click "Advanced Options" on that page and toggle the appropriate entry.

Microsoft yesterday patched 66 other flaws in its various software packages. Of these, only the above flaw is known to have already been exploited.

One of the most serious non-zero day flaws is remote code execution (hacking via the Internet for you and me) in Microsoft Office; the severity of the App Installer flaw is 7.1 out of 10, while the severity of this flaw is 9.6. 6 points.

Microsoft does not provide many details about this flaw, probably because they do not want anyone to know how to exploit this flaw before most people get a chance to install the patch.