Microsoft right this moment issued safety updates to repair not less than 56 vulnerabilities in its Windows working programs and supported software program, together with two zero-day flaws which are being actively exploited.
All supported Windows working programs will obtain an replace this month for a buffer overflow vulnerability that carries the catchy identify CVE-2025-21418. This patch must be a precedence for enterprises, as Microsoft says it’s being exploited, has low assault complexity, and no necessities for person interplay.
Tenable senior employees analysis engineer Satnam Narang famous that since 2022, there have been 9 elevation of privilege vulnerabilities on this identical Windows element — three annually — together with one in 2024 that was exploited within the wild as a zero day (CVE-2024-38193).
“CVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems,” Narang mentioned. “At this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group.”
The different zero-day, CVE-2025-21391, is an elevation of privilege vulnerability in Windows Storage that might be used to delete recordsdata on a focused system. Microsoft’s advisory on this bug references one thing referred to as “CWE-59: Improper Link Resolution Before File Access,” says no person interplay is required, and that the assault complexity is low.
Adam Barnett, lead software program engineer at Rapid7, mentioned though the advisory supplies scant element, and even provides some imprecise reassurance that ‘an attacker would only be able to delete targeted files on a system,’ it could be a mistake to imagine that the affect of deleting arbitrary recordsdata can be restricted to knowledge loss or denial of service.
“As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links,”Barnett wrote.
One vulnerability patched right this moment that was publicly disclosed earlier is CVE-2025-21377, one other weak point that would permit an attacker to raise their privileges on a susceptible Windows system. Specifically, that is yet one more Windows flaw that can be utilized to steal NTLMv2 hashes — basically permitting an attacker to authenticate because the focused person with out having to log in.
According to Microsoft, minimal person interplay with a malicious file is required to use CVE-2025-21377, together with deciding on, inspecting or “performing an action other than opening or executing the file.”
“This trademark linguistic ducking and weaving may be Microsoft’s way of saying ‘if we told you any more, we’d give the game away,’” Barnett mentioned. “Accordingly, Microsoft assesses exploitation as more likely.”
The SANS Internet Storm Center has a useful listing of all of the Microsoft patches launched right this moment, listed by severity. Windows enterprise directors would do effectively to keep watch over askwoody.com, which frequently has the inside track on any patches inflicting issues.
It’s getting more durable to purchase Windows software program that isn’t additionally bundled with Microsoft’s flagship Copilot synthetic intelligence (AI) function. Last month Microsoft began bundling Copilot with Microsoft Office 365, which Redmond has since rebranded as “Microsoft 365 Copilot.” Ostensibly to offset the prices of its substantial AI investments, Microsoft additionally jacked up costs from 22 % to 30 % for upcoming license renewals and new subscribers.
Office-watch.com writes that present Office 365 customers who’re paying an annual cloud license do have the choice of “Microsoft 365 Classic,” an AI-free subscription at a cheaper price, however that many shoppers are usually not provided the choice till they try to cancel their present Office subscription.
In different safety patch information, Apple has shipped iOS 18.3.1, which fixes a zero day vulnerability (CVE-2025-24200) that’s exhibiting up in assaults.
Adobe has issued safety updates that repair a complete of 45 vulnerabilities throughout InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer and Photoshop Elements.
Chris Goettl at Ivanti notes that Google Chrome is delivery an replace right this moment which can set off updates for Chromium based mostly browsers together with Microsoft Edge, so be looking out for Chrome and Edge updates as we proceed by the week.