Windows 10 users, it’s time to pay attention because Microsoft has announced a critical update warning and you need to act.
In the company’s new Windows 10 ‘Patch Tuesday’ update, Microsoft revealed fixes for an eye-opening 117 security holes. 103 of these flaws are classified as ‘Important’ and 13 are deemed ‘Critical’ (including a further fix for the infamous PrintNightmare exploit). Furthermore, Microsoft confirms four of the critical flaws are under active attack by hackers.
“This volume of fixes is more than the last two months combined,” notes the Zero Day Initiative (ZDI), a global community of independent security researchers. ZDI also highlights the four actively exploited attacks for particular attention: CVE-2021-34527 (PrintNightmare), CVE-2021-34448 (a memory corruption vulnerability), and CVE-2021-31979 and CVE-2021-33771 (both elevation of privilege attacks) which are the most serious type of hack a Windows user can face.
In addition to critical flaws, there is a further interesting exploit of note. CVE-2021-34466 is a hack for Windows Hello, Microsoft’s popular login system that uses fingerprints and facial recognition. Microsoft’s own figures state that approximately 85% of all sign-ins to Windows 10 devices currently use Windows Hello. MORE FOR YOUDid You Get A Second Stimulus Check Today? Here’s WhyTrump Signs Executive Orders To Extend COVID-19 Economic Relief, Includes Unemployment Benefits, Eviction MoratoriumMicrosoft Releases ‘Critical’ PrintNightmare Update For All Windows
“Our findings show that any USB device [such as a webcam] can be cloned, and any USB device can impersonate any other USB device… The OS cannot validate such a device’s authenticity, at least not according to the USB specification,” states CyberArk Labs, the security research team which discovered the bug. This suggests we can expect further hacks of Windows Hello in future.
07/16 Update: CyberArk has contacted me to warn that the patch Microsoft issued cannot fully mitigate the flaws it has found in the Windows Hello system.
“Windows Hello uses a USB camera to get the input for face recognition-based authentication. USB devices are not designed to offer a validation mechanism, and this means that most USB devices can be spoofed; this creates an inherent issue in Windows Hello,” explained Omer Tsarfati, CyberArk Security Researcher in a statement to me. “It makes Windows Hello trust the camera input without any ability to verify the authenticity of the data, which we demonstrated in our research. This issue can only be fully fixed by creating trust between the camera and the OS, but this requires the camera hardware and software to support this.”
All of which creates an inherent problem for Windows 10 users:
“Microsoft has limited the issue to an extent [with its patch], but the concept remains a serious one as it exposes a new attack vector to any biometric authentication that relies on input from an external USB device,” Tsarfati explains. “It is possible that, in future, if (for instance) Windows were ever to allow remote authentication with face recognition, even the need to be able to access a user machine will not be necessary; it becomes potentially possible to exploit this attack remotely, which will increase the attack risk substantially.”
While Windows Hello remains a fast and convenient way to secure access to a Windows 10 computer, CyberArk’s research shows that its security is far from watertight. Consequently, I would expect to see further attempts to exploit this vulnerability in future. A game of cat and mouse has begun.
To download the latest Windows 10 patches, users should follow these steps:
- Windows Settings > Updates & Security > Windows Update.
- Click “Check for updates”
- Watch that a new July patch starts installing
- Restart your computer afterwards
Hackers appear to have declared open season on Windows 10 this month, so I would advise all Windows 10 users to download these updates as a matter of priority.
