Microsoft has distributed fixes for 117 security flaws in its software products, including Windows 10 and Microsoft Office, including up to nine "zero-day" flaws. Windows 10, Windows 8.1, and additional Windows 7 users who have paid for the security updates will want to run Windows Update as soon as possible to install the fixes.1]

If Windows does not warn you to run Windows Update, click the lower left Click the Windows logo, click Settings, and then click Update and Security. Then click on "Check for Updates" and follow the on-screen instructions.

Depending on how you define "zero-day," either four or nine Fix-em-Now flaws were patched on Patch Tuesday in July. All nine flaws were disclosed before Microsoft created a fix, but as far as software makers know, only four were used "in the wild" to attack Windows users.

One of them was PrintNightmare (catalog number CVE-2021-34527), a flaw in the Print Spooler software that sends print jobs to networked printers. The flaw was disclosed in late June by a security firm that misunderstood Microsoft's preliminary report and thought the flaw had been fixed

.

It was not fixed, and attackers used a proof-of-concept exploit posted briefly on Twitter to conduct the actual attack. Microsoft issued an emergency patch for PrintNightmare last week, but some security experts noted that the flaw was not fully fixed. Microsoft disagrees and is including a patch to fix it in this month's security rollup for those who did not install the patch last week. [CVE-2021-34448 embeds a booby trap file in a maliciously crafted web page that, if downloaded via a web browser, could execute code on a Windows machine.

To initiate the exploit process, the user must be tricked into clicking a link, but that is not a major obstacle for many attackers.

"In a web-based attack scenario, an attacker could host a website containing specially crafted files designed to exploit a vulnerability (or take advantage of a compromised website that accepts or hosts user-supplied content )," Microsoft wrote in a security bulletin. [However, an attacker cannot force a user to access that website. Instead, the attacker must persuade the user to click on a link, usually by an enticement in an email or instant messenger message, to persuade the user to open a specially crafted file.

Two other zero-day exploits that are actively exploited (CVE-2021-31979 and 33771) require local access. However, malware that infiltrates the machine in other ways can take advantage of this flaw.

Both are "elevation of privilege" vulnerabilities in the Windows kernel, which can be used to grant administrative or system privileges that low privileged users or processes should not have.

Of the five zero-day vulnerabilities that have not been actively exploited, three are vulnerabilities that only affect the server.

One of the other two (CVE-2021-33781) is a bypass of a security feature, suggesting the possibility of getting into something without a password or authentication, but Microsoft does not provide much detail other than that it can be exploited via the Internet. Microsoft has not provided much detail other than that it could be exploited via the Internet.

Another (CVE-2021-34492) allows an attacker to forge Windows certificates, a type of digital signature used to verify authenticity. This too can be exploited online, but Microsoft believes the overall risk is low.

Not to mention the other 108 flaws that will be fixed, 10 of which are rated "critical" and allow the installation and execution of malicious code on the Internet. (You can read the entire July 2021 Microsoft security bulletin online.) Now let's patch these PCs.