Microsoft published its April security release notes (opens in new tab) on Tuesday, announcing patches for more than 100 vulnerabilities, many of which are listed a "critical." Of those, three were actively exploited zero-day attacks.
We'll focus on the vulnerabilities Microsoft considers critical, especially those three zero-days. Keep in mind, for a security flaw to be deemed "critical," it must let malware exploit and gain control over a system without help from the owner.
We don't know much about the three zero-day flaws; Microsoft typically keeps the details at a minimum for several weeks so it can finish rolling out a patch and give Windows 10 users enough time to install it.
The three actively exploited zero-days are listed as CVE-2020-1020 (opens in new tab), CVE-2020-0938 (opens in new tab) and CVE-2020-1027 (opens in new tab). The first vulnerability, CVE-2020-1020, is a flaw in the Windows Adobe Type Manager Library that lets attackers remotely take control of a system (via ZDNet). Fortunately, this particular vulnerability doesn't affect Windows 10. If you're still using Windows 7, it's time to upgrade.
CVE-2020-0938 is also in the Windows Adobe Type Manager Library. It's similar to the first and lets bad actors install programs or change data.
The third and final zero-day found in the wild is an issue with how the Windows kernel handles objects in memory. When exploited, an attacker can execute code with "elevated permissions."
Of the security vulnerabilities, those three are the scariest. However, a total of 19 critical flaws were patched, seven of which impact Windows 10 laptops and desktops. Three of those --- CVE-2020-0948 (opens in new tab), CVE-2020-0949 (opens in new tab) and CVE-2020-0950 (opens in new tab) --- exist as memory corruption flaws in the Windows Media Foundation.
"An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft notes.
How to protect your Windows PC
As per usual, Microsoft released a lump update on Patch Tuesday yesterday to fix all of these exploits at once. That makes our advice to you straightforward: update your Windows 10 device.
Yes, we know, Windows is a mess right now with each new update causing more harm than good. But security patches like the one Microsoft is pushing out are crucial to the safety of your PC and the sensitive information that lives inside.
If you're not a high-risk target -- a government employee, business exec, celebrity, etc -- then you're probably OK waiting for the update to hit your laptop. If you are, or just want extra reassurance, jump in front of the line by manually forcing the update. You can do this by typing "Update" into the search bar and "Check for update" on the next two pages. This will push out any updates available for your Windows 10 PC.