Microsoft Windows Deadline—You Have 21 Days To Update Your PC

Zak Doffman- Contributor -I cover security and surveillance

Microsoft Windows users are suddenly at risk from a “previously unknown” trick to attack their PCs. This threat is now being actively exploited through a hidden vulnerability on your system, one that has just been patched by Microsoft.

The research team at Check Point warns that “attackers are using special Windows Internet Shortcut files, which, when clicked, call the retired Internet Explorer (IE) to visit the attacker-controlled URL… By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.”

The threat is serious enough that the US government has just added it to its Known Exploit Vulnerability catalog, warning that Microsoft Windows contains “a spoofing vulnerability that has a high impact to confidentiality, integrity, and availability.”

CISA, the government’s cybersecurity agency has mandated all Windows systems in use by federal employees be updated or shut down within 21-days, by July 30. Given that Check Point reports that “threat actors have been using the attacking techniques for quite some time,” it is critical that all organizations also apply CISA’s mandate.

We have seen another CISA July Windows update mandate already this month. But this time around, the first known exploits date back more than a year—which is an alarming length of time for an exposure to be out in the wild. Microsoft acknowledged this vulnerability had been exploited in its update, and I have reached out for any comments on Check Point’s report which has since been published.