Microsoft releases updates for Windows on the first Tuesday of each month. This is widely referred to as ‘Patch Tuesday,’ and today everyone should have gotten brand new updates (8 to be exact). Microsoft has a rating system for your updates, so you know which ones you should install, if you can’t install all of them at the moment.
There are three ‘critical’ updates available today, and you should install these as soon as possible, as they will patch serious security vulnerabilities found. These are also the vulnerabilities malicious programs could be abusing, taking advantage of users that have not bothered to update their systems. These three updates fix vulnerabilities in Internet Explorer, the .NET framework, and the Kernel-Mode driver.
The Internet Explorer vulnerability can be exploited by simply visiting a webpage and can give the attacker the same user rights as the account you are using — those with administrative rights have a serious risk. The other two vulnerabilities require user ‘cooperation’ through actions clicking URLs or opening files via email.
The rest of the patches are ‘important’ and are: Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942), Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869), Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434), Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254), and Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579).
The word vulnerability could enable an attacker to gain user rights, install programs, view/delete files, or create new user accounts by tricking a user to open a special document. You can read the full details of the vulnerabilities here, including if they require a restart.
As a user you are allowed to do certain things on your machine, as are programs you install. However, attackers can find loopholes where they can make a program do things they weren’t intended to. The good thing is that most of the time it requires some action by the user, such as opening a file you don’t trust, so one way to avoid them is to use trusted sources and visit trusted websites. There will be new vulnerabilities found next month, and a new patch on Tuesday.
This is the circle of life in software development and until then, update your system and remain smart on things you click.