Microsoft is warning over 800 million customers who use Windows 10 to immediately update the software on their devices due to critical vulnerabilities in Internet Explorer and Windows Defender. Those vulnerabilities, warns an advisory Microsoft released on Monday, mean "an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email."
Furthermore, this type of attack could allow an attacker to "take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." This is known as a zero-day attack and is similar to the type of vulnerability Apple recently announced it would give you $1 million to find in iOS.
The problem with a zero-day attack is that it requires almost no intervention from a user. Simply visiting an affected website is enough to allow the attacker to access your device. Even without downloading a file, or interacting with the site, the website can gain root access to your device, meaning it has complete control to install software or worse--view your personal information.
And, while Microsoft officially replaced Internet Explorer with the Chromium-based Edge browser, Internet Explorer still comes preinstalled on Windows 10 devices. You can understand, then, why Microsoft wants you to update your software. Like, right now.
While the Windows Defender update will happen automatically, users must manually update Internet Explorer by visiting the Microsoft Update Catalog. That's a problem,
because users have started bypassing Windows updates as reports grow of additional bugs and flaws have caused many people to feel like the updates are more trouble than they're worth.
It's interesting that Microsoft is requiring users to go through an extra step to get the update, especially since the company's advisory indicates the vulnerability has been actively exploited in the wild -- that means actual Windows 10 computers have been compromised as a result of this specific flaw.
You might think this would motivate Microsoft to push an automatic update for both patches. I reached out to Microsoft but did not immediately receive a response.
If you're using Windows 10, you should visit the security update page to download the corresponding update files for your system. As a best practice, while software updates always run the risk of introducing bugs, you're far better off keeping your system up-to-date in order to prevent your computer and personal information from being compromised.
You should also turn on automatic updates, to make sure your computer receives critical software updates. Finally, when a company like Microsoft goes through the trouble of sending out a warning like this, pay attention.