Windows Update Time: Microsoft Patched a Nasty Vulnerability

PC users, it's time to fire up Windows Update once again, and this time, you have Google to thank.

Last Monday (Oct. 31), Google decided to disclose a scary Windows problem that it thought Microsoft had taken too long to fix. (Google found the issue and reported it to Microsoft on Oct. 21, but the flaw was being actively used by hackers.) This month's Patch Tuesday security update, released today (Nov. 8) by Microsoft, fixes security issues that could give hackers control of your system.

In a blog post last week (Nov. 1), well before the fix was ready, Microsoft VP Terry Myerson attributed the ongoing attacks to the so-called Strontium hacker group, aka Fancy Bear, which is believed to be part of Russian military intelligence and is one of two Russian groups accused of hacking into the Democratic National Committee earlier this year.

Myerson noted the Strontium group "conducted a low-volume spear-phishing campaign" which "used two zero-day vulnerabilities in Adobe Flash and … Windows … to target a specific set of customers."

MORE: 12 Computer Security Mistakes You’re Probably Making

Adobe patched the problem on its end on October 26, but Microsoft waited until today to release the fix in this month's edition of the Patch Tuesday update. The update is available for systems running Windows 10, 7, 8.1 and Vista, so everyone needs to make sure this patch is applied now that it's available. Microsoft labelled the update as Important, so look out for that nomenclature to make sure you're getting the update.

While this patch should be enough to fight off the current known vulnerabilities, Microsoft is advising that users upgrade systems to Windows 10 to protect themselves against other variants of spear-phishing attacks. Myerson claimed that those using Microsoft's Edge browser were already protected from the "versions of this attack observed in the wild."

In that blog post released last week, Myerson complained about the early disclosure from Google, writing that its "decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."

Google believed that customers were already facing enough risk without the update, as its announcement claimed the vulnerability "is being actively exploited."

So what can I do?

  • First, make sure Flash is up to date.
  • If you're using Windows 7, click the Start button, click Control Panel, click Windows Update, click Check for Updates and follow the subsequent instructions.
  • Those on Windows 10 should click the Start button, click Settings, click Update & security, click Check for updates and follow the subsequent instructions
  • Windows 8.1 users should swipe in from the right edge of the screen, tap Settings, tap Change PC Settings, tap Update and Recovery, tap Windows Update and then tap Check now. Follow the subsequent instructions to install updates. Also, read how easier it is to update a Windows 10 system, and consider moving on from Windows 8.1

Windows 10 Security and Networking