Microsoft Sounds Urgent Warning On An Active Windows Update Security Flaw

windows 10 defender
Look, before we even get into the meat of what the problems were, if you're on Windows, make sure you've got the latest updates. Yesterday's "Patch Tuesday" brought with it fixes for nearly 80 different security bugs across just about every single Microsoft product, but the real worry has to do with a zero-day bug that has now been patched.

Actually, sorry; make that four zero-days. If you're not up on your security jargon, a 'zero-day' is a security exploit that is already being actively abused when it is discovered. Indeed, Microsoft sewed up zero-day flaws in Office Publisher, Windows Mark of the Web, the Windows Installer, and Windows Update in this month's update rollup.

Arguably the most severe was CVE-2024-43491, "Microsoft Windows Update Remote Code Execution Vulnerability," assigned a severity of 'Critical' and given a CVSS rating of 9.8 out of 10. The bug only affects Windows 10, but it's an easy attack that can be performed over the internet and gives the attacker the ability to execute code on the vulnerable machine without authentication. This is, obviously, bad.

windows update remote code execution vulnerability
From the MSRC page about the most serious vulnerability fixed in yesterday's updates.

The flaw seems to have actually been caused by Microsoft itself, as the vulnerabilities that offered the attack surface were actually already patched once, but a security update released in March broke the mitigations for those vulnerabilities. As we noted, the flaw only affects Windows 10, but the other, less-severe zero-days are more general and include Windows 11.

Ultimately, what you need to know is that Microsoft has these problems all patched up. Simply download the latest security updates—your machine probably did this for you already—and you can sleep soundly, secure in the knowledge that a new cybersecurity nightmare will pop up next week.