Microsoft at present issued safety updates to repair at the least 56 vulnerabilities in its Home windows working programs and supported software program, together with two zero-day flaws which might be being actively exploited.
All supported Home windows working programs will obtain an replace this month for a buffer overflow vulnerability that carries the catchy title CVE-2025-21418. This patch ought to be a precedence for enterprises, as Microsoft says it’s being exploited, has low assault complexity, and no necessities for consumer interplay.
Tenable senior workers analysis engineer Satnam Narang famous that since 2022, there have been 9 elevation of privilege vulnerabilities on this similar Home windows part — three every year — together with one in 2024 that was exploited within the wild as a zero day (CVE-2024-38193).
“CVE-2024-38193 was exploited by the North Korean APT group generally known as Lazarus Group to implant a brand new model of the FudModule rootkit in an effort to keep persistence and stealth on compromised programs,” Narang stated. “At the moment, it’s unclear if CVE-2025-21418 was additionally exploited by Lazarus Group.”
The opposite zero-day, CVE-2025-21391, is an elevation of privilege vulnerability in Home windows Storage that might be used to delete recordsdata on a focused system. Microsoft’s advisory on this bug references one thing referred to as “CWE-59: Improper Hyperlink Decision Earlier than File Entry,” says no consumer interplay is required, and that the assault complexity is low.
Adam Barnett, lead software program engineer at Rapid7, stated though the advisory supplies scant element, and even provides some imprecise reassurance that ‘an attacker would solely have the ability to delete focused recordsdata on a system,’ it will be a mistake to imagine that the influence of deleting arbitrary recordsdata can be restricted to knowledge loss or denial of service.
“As way back as 2022, ZDI researchers set out how a motivated attacker may parlay arbitrary file deletion into full SYSTEM entry utilizing strategies which additionally contain inventive misuse of symbolic hyperlinks,”Barnett wrote.
One vulnerability patched at present that was publicly disclosed earlier is CVE-2025-21377, one other weak spot that might enable an attacker to raise their privileges on a weak Home windows system. Particularly, that is one more Home windows flaw that can be utilized to steal NTLMv2 hashes — primarily permitting an attacker to authenticate because the focused consumer with out having to log in.
In response to Microsoft, minimal consumer interplay with a malicious file is required to take advantage of CVE-2025-21377, together with deciding on, inspecting or “performing an motion apart from opening or executing the file.”
“This trademark linguistic ducking and weaving could also be Microsoft’s manner of claiming ‘if we instructed you any extra, we’d give the sport away,’” Barnett stated. “Accordingly, Microsoft assesses exploitation as extra doubtless.”
The SANS Web Storm Heart has a useful checklist of all of the Microsoft patches launched at present, listed by severity. Home windows enterprise directors would do nicely to control askwoody.com, which frequently has the news on any patches inflicting issues.
It’s getting more durable to purchase Home windows software program that isn’t additionally bundled with Microsoft’s flagship Copilot synthetic intelligence (AI) characteristic. Final month Microsoft began bundling Copilot with Microsoft Workplace 365, which Redmond has since rebranded as “Microsoft 365 Copilot.” Ostensibly to offset the prices of its substantial AI investments, Microsoft additionally jacked up costs from 22 % to 30 % for upcoming license renewals and new subscribers.
Workplace-watch.com writes that current Workplace 365 customers who’re paying an annual cloud license do have the choice of “Microsoft 365 Traditional,” an AI-free subscription at a lower cost, however that many purchasers are usually not provided the choice till they try to cancel their current Workplace subscription.
In different safety patch information, Apple has shipped iOS 18.3.1, which fixes a zero day vulnerability (CVE-2025-24200) that’s exhibiting up in assaults.
Adobe has issued safety updates that repair a complete of 45 vulnerabilities throughout InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer and Photoshop Components.
Chris Goettl at Ivanti notes that Google Chrome is transport an replace at present which is able to set off updates for Chromium based mostly browsers together with Microsoft Edge, so be looking out for Chrome and Edge updates as we proceed by way of the week.
