Serious Windows Flaw: Hackers Can Remotely Crash PCs

John Lister's picture

Microsoft has described three Windows security fixes as an "essential" install even among users who normally take their time or pick and choose updates. It's one of 56 fixes in the latest monthly security update sometimes dubbed Patch Tuesday.

Two of the fixes are rated "Critical" and the other "Important". Those ratings are based on a combination of how likely the flaw is to be exploited and how serious the resulting damage could be.

Remote Code Execution Risk

The two critical fixes (codenamed CVE-2021-24074 and CVE-2021-24094) both create a risk of remote code execution. That's arguably the most serious security flaw as it effectively allows an attacker to remotely control the computer without needing a username or password to connect to the machine.

The closest thing to good news here is that Microsoft says these "vulnerabilities are complex which make it difficult to create functional exploits, so [attacks] are not likely in the short term." (Source: microsoft.com)

Blue Screen Of Death May Return

The important fix (CVE-2021-24086) is for a bug that could allow a denial of service. In this case, Microsoft isn't talking about the tactic by which attackers flood a website with bogus data requests to try to make it unavailable to legitimate visitors.

Instead in this scenario an attacker could exploit the bug to remotely crash a computer with a stop error, better known as the Blue Screen of Death. Microsoft says it expects attackers to figure out exploits "much more quickly" than with the critical bugs.

In all three cases, Microsoft flat out says that "It is essential that customers apply Windows updates to address these vulnerabilities as soon as possible." For most home users that will be covered by the automatic Windows Update but those who have it switched off should install the fixes manually. (Source: betanews.com)

As a sign of how seriously Microsoft is taking the issue, it's even devised (highly technically) workarounds for IT administrators who aren't able to update and restart systems straight away, such as those on complex systems or systems that can only have limited and controlled downtime.

What's Your Opinion?

Do you use automatic updates for security fixes? Do you understand and follow Microsoft's categorisation for different levels of risk from bugs? Could Microsoft do a better job of directly contacting users when the most serious security risks arise?

Rate this article: 
Average: 4.2 (11 votes)

Comments

dkingsbo_10494's picture

So.... if I read this article correctly, $soft opened a "can of worma", and now it won't take much for a hacker to compromise a computer. That is a security breach! Don't the developers care?

Dennis Faas's picture

Some software bugs can be exploitable depending on certain factors, whereby malicious authors (Hackers / Bots) will take advantage of said bugs. Some bugs can result in elevated access permissions to certain areas of the operating system and therefore are considered a critical patch.

This is nothing new and happens to all operating systems - whether it's Windows, Linux, or Mac. This really doesn't have to do anything with Microsoft dropping the ball per se, but instead highlights the importance to constantly update the system when patches become available - because some users refuse to patch for some reason or another.

In this case, it's an important patch that needs to be applied, otherwise you risk potentially allowing a hacker / bot to crash your system just by having the system connected to the Internet. When it comes to weighing the risks (such as "Will this patch break my system"?), you are better off backing up the system using a disk image, then patch it.

If the patch breaks the system then you can decide if you want to roll back the disk image to the previous state, and mitigate it some way or another - such as keeping the system offline (for example) until the a second patch is released.

buzzallnight's picture

Do you use automatic updates for security fixes?

No, because some patches brick your computer!!!!

Do you understand and follow Microsoft's categorisation for different levels of risk from bugs?

No, it is very similar to the braying of a donkey!!!!!!!

Could Microsoft do a better job of directly contacting users when the most serious security risks arise?

LOL stop it you are making my sides hurt from laughing so hard!!!!!!!!!!!
All the security risks arise when the product is released!!!!!!!

Better questions would be:

1 Could M$ do a better job of writing and testing software before it is released?
2 Why are all the bugs discovered by independent researchers and NOT M$?
3 Why 5+ years after this product was released does it still have more holes in it than a screen door?
4 Why is M$ allowed to release a new product before they fix all the holes in the current product?
5 Why is the software industry not regulated like all other industries
and allowed to live on shoddy products that are never really fixed or finished?
* Can we at least agree that M$ has no idea what secure software is
they have absolutely no idea how many undiscovered bugs still exist in Win10
and
they really don't give a bit!!!!!!!!!!

davolente_10330's picture

I think I may have said this elsewhere but since having problems with so-called Win 10 updates and, as I am using Win 10 Pro, I disabled auto updates on all my machines by way of the Group Policy Editor some time ago. I hate to think just how many "updates" my machines are missing but after reading of all the problems experienced by other folk, I am extremely reluctant to allow MS to mess with them again. Unfortunately, one size does not fit all in this instance and I had to revert to previous versions to get things to work properly again. I get the impression that this idea of "Windows as a service" notion really hasn't worked as it should.