Several important security announcements came out last week impacting Microsoft Windows, the popular free 7-Zip compression utility and the proliferation of dangerous free VPN products. What’s also interesting is the emergence of AI as a tool for good (and bad) in discovering some of the bugs!

Microsoft Windows Patches:
This month, Microsoft released a bevy of security patches including eight zero-day exploits and three under active exploitation. This means the timely patching of your Windows devices this month is critical. To exploit these vulnerabilities, an attacker would need to convince a victim to open a specially crafted file. Delivery of malicious files by email is most common, so having advanced email security is a critical layer of protection. Of special note is that the three actively exploited vulnerabilities were discovered using an AI-assisted discovery platform, unpatched.ai.

7-Zip:
7-Zip is a popular free zip compression utility installed on many systems. Last week, a high severity vulnerability was disclosed that allows attackers to bypass Windows protections. Since the software does not provide an integrated update mechanism, many users will have to manually update their systems. If you are running version 24.09 released back in November, you are protected.

Dangerous Free VPNs:
We are seeing the proliferation of VPNs, by users, to avoid geographic content limits such as the Tiktok ban, access overseas sports events and other entertainment content. As people search out these solutions online, in many cases they’re inadvertently installing malware and sharing personal data by routing their traffic through unscrupulous VPN providers. Many users believe VPNs are secure and provide privacy. However, in the case of most free VPN solutions, the opposite is true. Users should be advised to never use free VPN solutions and only use reputable providers.

What do I need to do?
December patches for Windows began rolling out last week. Users should complete the installation of patches when prompted and not delay or defer them.

• Updates can be manually installed for Windows systems by following the directions below:
  • Microsoft Windows: https://support.microsoft.com/en-us/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a
• 7-Zip Patching can be patched by downloading and installing the latest version
• Download here: https://7-zip.org/download.html
• Advise users never to use VPNs on corporate devices unless explicitly approved, never use free VPNs and only use reputable providers when required: https://www.tomsguide.com/best-picks/best-vpn

Additional Resource and Details:

• Microsoft Windows Security Updates: https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2025-patch-tuesday-fixes-8-zero-days-159-flaws/
• 7-Zip: https://www.bleepingcomputer.com/news/security/7-zip-fixes-bug-that-bypasses-the-windows-motw-security-mechanism-patch-now/
• Secure VPNs: https://www.tomsguide.com/best-picks/best-vpn
• VPN Risks: https://www.ic3.gov/PSA/2024/PSA240529