One of Microsoft’s biggest Windows 11 updates yet brought a massive number of security flaw fixes

Microsoft has issued a mammoth Windows 11 update that brings fixes for around 150 security flaws in the operating system, as well as fixes for 67 Remote Code Execution (RCE) vulnerabilities. RCEs enable malicious actors to deploy their code to a target device remotely, often being able to do so without a person’s consent or knowledge – so this is a Windows 11 update you definitely want to install ASAP. 

This update was rolled out on Microsoft’s Patch Tuesday (the second Tuesday of every month), a monthly update when Microsoft releases security updates. 

Three of these were classed as ‘critical’ vulnerabilities, meaning that Microsoft saw them as posing a particularly hefty risk to users. According to Bleeping Computer, more than half of the RCE vulnerabilities were found in Microsoft SQL drivers; essential software components that facilitate communication between Microsoft apps and its servers, leading to speculation that the SQL drivers share a common flaw that is being exploited by malicious users. 

The three vulnerabilities classed as ‘critical’ had to do with Windows Defender, ironically an app designed by Microsoft to protect users from online threats. 

Windows Defender extension for Chrome

(Image credit: Future)

A possibly record-setting update

KrebsonSecurity, a security news site, claims that this security update sets a record for the number of Windows 11 issues addressed, making it the largest update Microsoft has released this year (so far) and the largest released since 2017. 

The number of bugs is broken down as follows:

  • 31 Elevation of Privilege Vulnerabilities
  • 29 Security Feature Bypass Vulnerabilities
  • 67 Remote Code Execution Vulnerabilities
  • 13 Information Disclosure Vulnerabilities
  • 7 Denial of Service Vulnerabilities
  • 3 Spoofing Vulnerabilities

These spanned across several apps and functionalities, including Microsoft Office apps, Bitlocker, Windows Defender, Azure, and more. 

Two zero-day loopholes that were cause for concern

Two zero-day vulnerabilities were also addressed by Microsoft in April’s Patch Tuesday update, and apparently, they have been exploited in malware attacks. Zero-day vulnerabilities are flaws in software that potentially harmful actors find and possibly exploit before the software’s developers discover it. The zero refers to the proverbial buffer of time that developers have in terms of urgency to develop a patch to address the issue. 

Microsoft hasn’t said whether the zero-day flaws were being actively exploited, but this information was shared by Sophos (a software and hardware company) and Trend Micro (a cybersecurity platform). 

One of these has been labeled CVE-2024-26234 by Microsoft, and it’s been classed as a Proxy Drive Spoofing Vulnerability. The other, CVE-2024-29988, was classed as a SmartScreen Prompt Security Feature Bypass Vulnerability.

You can see the full list of vulnerabilities in a report by Bleeping Computer. Mashable points to the fact that Windows necessitates such a vast number of patches and changes because Windows is used as the operating system on different manufacturers’ machines and has to constantly keep up with accommodating a variety of hardware configurations.   

Some users might find Windows 11’s need for frequent updates annoying, which could lead them to consider alternative operating systems like macOS. If you’re sticking with Windows 11, KrebsonSecurity recommends that you back up your computer’s data before installing the update. I’m glad Microsoft continues to address bugs and security risks in Windows 11, even if that does mean we’re nagged to update the OS more than some of its competitors, and I would urge users to make sure that they install this update, which you can do through Windows Update if your PC hasn’t started this process already. 

YOU MIGHT ALSO LIKE…

TechRadar – All the latest technology news

Read More

Windows 11 fixes this bewildering flaw that’s bugged PC gamers for a decade

Windows 11 gamers rejoice, get out the party poppers, and crack the champagne open – for you can now specify a drive location to install your purchases from the Microsoft Store.

As you’re likely aware – if you have any truck with the store – if you buy a game, you’re stuck with having to install it on your system drive. Meaning that if you have a secondary drive, there’s no possibility of choosing to put a game on there at installation.

Until now, that is. With version 22310 of the Microsoft Store app, you can now select a drive to install your game, as flagged by a Microsoft engineer on X (formerly Twitter).

See more

As the engineer further points out, you can even specify an external drive, should you want to.


Analysis: Back to basics

This is a pretty basic option, of course, and one that could be very necessary if you don’t have much space on the main drive where Windows 11 sits. Or you don’t want to clutter that system drive with games, and would prefer to keep those separate from all the serious stuff.

Given that, it’s pretty jaw-dropping that it has taken a decade for Microsoft to make it possible to specify an installation drive and folder. (Yes, the store was first launched way back in 2012, before Windows 10 was even around).

Speaking of Windows 10, it remains to be seen if this upgrade will be visited on the older operating system – but you’d hope so.

Time will tell, as Microsoft has said it isn’t making any further feature updates to Windows 10 – just very minor tweaks (whether this install option counts as that, or not, well, we’ll see). Except, rumor has it, Copilot may be incoming for Windows 10, but perhaps not out of the goodness of Microsoft’s heart (there might be an ulterior motive for that move, if it happens).

Microsoft has been busy making the store better in recent times, as you may have seen, with one improvement of late being to massively speed up the time it takes the app to load.

Via Tom’s Hardware

You might also like

TechRadar – All the latest technology news

Read More

Most QNAP NAS Devices Affected by ‘Dirty Pipe’ Linux Flaw

The “Dirty Pipe” Linux kernel flaw – a high-severity vulnerability in all major distros that grants root access to unprivileged users who have local access – affects most of QNAP’s network-attached storage (NAS) appliances, the Taiwanese manufacturer warned on Monday. Dirty Pipe, a recently reported local privilege escalation vulnerability, affects the Linux kernel on QNAP […]
Threatpost

Read More

Most QNAP NAS Devices Affected by ‘Dirty Pipe’ Linux Flaw

The “Dirty Pipe” Linux kernel flaw – a high-severity vulnerability in all major distros that grants root access to unprivileged users who have local access – affects most of QNAP’s network-attached storage (NAS) appliances, the Taiwanese manufacturer warned on Monday. Dirty Pipe, a recently reported local privilege escalation vulnerability, affects the Linux kernel on QNAP […]
Threatpost

Read More

Microsoft Teams is finally fixing this super annoying flaw

Being plagued by annoying notifications pings whilst on a call may soon finally be at an end for users of Microsoft Teams.

The company has confirmed that it will soon allow users to mute notifications whilst they are in a video conferencing meeting or don't want to be disturbed.

This should mean an end to distracting notifications or alerts when you’re in the middle of an important meeting, particularly as more and more businesses embrace hybrid working.

No more notifications

“The current experience of receiving notifications during meetings is highly distracting and there is no easy way to turn off these notifications making it highly painful for users,” Microsoft's Joao Ferreira wrote in an M365 admin post announcing the news.

“This feature will introduce a setting to help the user turn OFF notifications during meetings.”

In order to activate the setting, users need to click on the ellipsis next to their Microsoft Teams profile picture, then select global settings -> Notifications -> Meetings. Doing so will turn off notifications for all meetings.

Microsoft Teams mute notifications

(Image credit: Microsoft)

If users want to allow certain notifications to come through, say if they are expecting an important email or alert, users can turn notifications on or off for a per meeting basis through the setting provided in the meeting tray.

By allowing users to specify which types of alerts they receive, the latest Teams update should help address common remote working issues that have been increasingly facing workers across the world. 

Ferreira noted that the feature is set to begin rolling out in early February, with most users set to have it ready by mid-March 2022. It will be available worldwide to all Microsoft Teams users across desktop and web.

News of the feature first emerged back in November 2021, with Microsoft Teams enjoying a raft of useful updates since then. This includes the addition of chat bubbles so that users wouldn't miss private messages sent during a video call, both 1:1 or as part of a group call.

TechRadar – All the latest technology news

Read More