All insights
insightsWindowsSecurityPatching

Two Windows Zero-Days Exploited in the Wild, Is Your Business Patched?

SW
Shaun Wong
6 min read

Every second Tuesday of the month, Microsoft releases a batch of security fixes for Windows. IT professionals call it Patch Tuesday, and most small business owners have never heard of it. That is understandable. Patches are invisible infrastructure, the kind of thing that only gets attention when something goes wrong.

October's Patch Tuesday is worth paying attention to because it was unusually significant. Microsoft fixed 183 vulnerabilities in a single release, two of which were already being exploited by attackers before the fix was available. These are what security researchers call zero-days, and they deserve a plain-English explanation.

What a Zero-Day Actually Means

A zero-day is a security vulnerability that attackers know about and are actively exploiting before the software maker has had a chance to fix it. The name comes from the idea that when a fix is released, developers have had zero days to prepare a patch.

When Microsoft releases a security fix for a vulnerability that was previously unknown, businesses have a window of time before attackers reverse-engineer the fix and figure out how to exploit the now-documented flaw in unpatched systems. That window used to be measured in weeks. Today it is often measured in days. Automated tools make it increasingly fast for attackers to turn a newly public vulnerability into a working attack.

Zero-days that are "actively exploited in the wild" are a different and more serious category. These are vulnerabilities that criminal groups or nation-state actors have already built attack tools around and are using against real targets. When Microsoft uses that phrase in their security bulletins, it means someone has already been compromised using this exact flaw.

The October Vulnerabilities: What Was Exploited

The two actively exploited vulnerabilities fixed in October 2025 involved the MSHTML engine (the component that renders web content across multiple Windows applications, not just Internet Explorer) and the Microsoft Management Console (MMC), a tool used in system administration.

The MSHTML vulnerability allowed attackers to run malicious code on a target machine by tricking a user into opening a specially crafted file or link. The MMC vulnerability was used in targeted attacks to gain elevated privileges, meaning an attacker who had already gained some access to a system could use it to take complete control.

Both vulnerabilities were used in targeted attacks rather than widespread mass campaigns, which means the risk to a typical Perth small business is real but not at pandemic scale. That said, "targeted attacks" increasingly includes small businesses. Attackers do not just go after large corporations. Small businesses with access to valuable client data, financial systems, or supply chains are attractive targets precisely because their security is often weaker.

Why Patching Is the Single Most Important Security Action You Can Take

Studies consistently find that the majority of successful cyberattacks exploit vulnerabilities that already have patches available. Verizon's annual Data Breach Investigations Report has reported for several years running that unpatched software is involved in a significant share of breaches. The ACSC (Australian Cyber Security Centre) lists patching as one of the Essential Eight, the baseline set of security controls it recommends for all Australian organisations.

The logic is straightforward. Attackers know that many organisations take weeks or months to apply patches. They also know the exact details of the vulnerability once a patch is released and documented. So the moment Microsoft publishes a Patch Tuesday release, unpatched systems become targets with a known address on the wall.

Patching is not glamorous. It requires restarts, occasionally breaks a piece of software that was not compatible with the new update, and does not have any visible benefit you can point to. But it closes the doors that attackers walk through.

Setting Up a Simple Patching Routine

For most small businesses with Windows PCs, the answer is to turn on automatic updates and make sure they are actually running. Here is how to check.

Open Settings (the gear icon in the Start menu), then go to Windows Update. Check when updates were last installed. If the date is more than a few weeks ago, click "Check for updates" now. If updates are showing as pending a restart, schedule that restart for tonight.

To turn on automatic updates, go to Windows Update, then Advanced Options, and make sure "Receive updates for other Microsoft products" is turned on alongside the main Windows updates. This ensures Microsoft 365 apps, Edge, and other Microsoft software are also being updated.

One configuration worth checking is "Active hours." This tells Windows not to restart for updates during the hours you specify. Set your active hours to your business day (e.g., 8am to 6pm) and Windows will install and restart during overnight hours, so updates happen without interrupting your work.

What About Older Windows Machines?

If you have a PC still running Windows 10, you should know that Microsoft ends mainstream security support for Windows 10 in October 2025. After that date, security patches will not be free, and eventually they will stop altogether. A machine running an unsupported operating system is a machine that will accumulate vulnerabilities with no fix available.

The practical advice is to plan hardware replacement or upgrades for any machine that cannot run Windows 11. Windows 11 requires a 64-bit processor, 4GB of RAM, and 64GB of storage, as well as a TPM 2.0 security chip. Most business PCs purchased from 2018 onward will qualify, though some may require a BIOS update to enable TPM 2.0.

If a critical piece of software you rely on only runs on Windows 10 or older, talk to us. That is a real situation many businesses face, and there are ways to manage the risk while you plan a transition.

Keeping your systems patched is the single highest-leverage security action available to a small business. It does not require technical expertise. It requires turning on automatic updates, occasionally restarting a machine, and replacing hardware when it can no longer receive security updates. Everything else in security matters less if your systems are running with known, unpatched vulnerabilities.

Trending Now

Explore our latest insights, expert advice, and breaking tech news. Stay informed and ahead of the curve!

insights

Smart Work in 2026: The Business Tools You'll Actually Use Every Single Day

Forget the hype lists. Here are the practical tools that will genuinely save Perth small businesses time and money in 2026, including AI writing assistants, smart scheduling, and affordable cyber protection.

insights

2026 Tech Predictions: What Perth Small Businesses Should Prepare for Right Now

Industry analysts are pointing to agentic AI, Answer Engine Optimisation, and AI-first cybersecurity as the defining forces of 2026. We translate the big predictions into plain-English action items.

insights

2025 in Tech: The Year AI Got Real, The Stories That Shaped Perth Businesses

From AI Copilots landing in every Windows PC to Australia banning a Chinese AI model from government devices, 2025 was the year AI stopped being a buzzword. Here are the 10 stories that mattered most.

We make tech simple, contact us for expert assistance!

Need tech support, repairs, or a new website? Tech Hero is here to help. Fill out the form and get personalized support from experts you can trust.

I have read, understand, and agree to thePrivacy PolicyandTerms of Service
I agree to receive occasional updates or important information about Tech Hero's services.