Microsoft immediately issued safety updates to repair a minimum of 56 vulnerabilities in its Home windows working techniques and supported software program, together with two zero-day flaws which can be being actively exploited.
All supported Home windows working techniques will obtain an replace this month for a buffer overflow vulnerability that carries the catchy identify CVE-2025-21418. This patch ought to be a precedence for enterprises, as Microsoft says it’s being exploited, has low assault complexity, and no necessities for person interplay.
Tenable senior employees analysis engineer Satnam narang famous that since 2022, there have been 9 elevation of privilege vulnerabilities on this similar Home windows element — three every year — together with one in 2024 that was exploited within the wild as a zero day (CVE-2024-38193).
“CVE-2024-38193 was exploited by the North Korean APT group often called Lazarus Group to implant a brand new model of the FudModule rootkit in an effort to preserve persistence and stealth on compromised techniques,” Narang mentioned. “At the moment, it’s unclear if CVE-2025-21418 was additionally exploited by Lazarus Group.”
The opposite zero-day, CVE-2025-21391is an elevation of privilege vulnerability in Home windows Storage that could possibly be used to delete recordsdata on a focused system. Microsoft’s advisory on this bug references one thing referred to as “CWE-59: Improper Hyperlink Decision Earlier than File Entry,” says no person interplay is required, and that the assault complexity is low.
Adam Barnettlead software program engineer at Rapid7mentioned though the advisory gives scant element, and even affords some obscure reassurance that ‘an attacker would solely be capable of delete focused recordsdata on a system,’ it could be a mistake to imagine that the affect of deleting arbitrary recordsdata can be restricted to knowledge loss or denial of service.
“As way back as 2022, ZDI researchers set out how a motivated attacker may parlay arbitrary file deletion into full SYSTEM entry utilizing methods which additionally contain artistic misuse of symbolic hyperlinks,”Barnett wrote.
One vulnerability patched immediately that was publicly disclosed earlier is CVE-2025-21377another weak point that might enable an attacker to raise their privileges on a weak Home windows system. Particularly, that is one more Home windows flaw that can be utilized to steal NTLMv2 hashes — primarily permitting an attacker to authenticate because the focused person with out having to log in.
In line with Microsoft, minimal person interplay with a malicious file is required to use CVE-2025-21377, together with deciding on, inspecting or “performing an motion aside from opening or executing the file.”
“This trademark linguistic ducking and weaving could also be Microsoft’s means of claiming ‘if we instructed you any extra, we’d give the sport away,’” Barnett mentioned. “Accordingly, Microsoft assesses exploitation as extra possible.”
The SANS Web Storm Middle has a useful checklist of all of the Microsoft patches launched immediately, listed by severity. Home windows enterprise directors would do effectively to keep watch over askwoody.comwhich typically has the inside track on any patches inflicting issues.
It’s getting tougher to purchase Home windows software program that isn’t additionally bundled with Microsoft’s flagship Copilot synthetic intelligence (AI) characteristic. Final month Microsoft began bundling Copilot with Microsoft Workplace 365which Redmond has since rebranded as “Microsoft 365 Copilot.” Ostensibly to offset the prices of its substantial AI investments, Microsoft additionally jacked up costs from 22 p.c to 30 p.c for upcoming license renewals and new subscribers.
Workplace-watch.com writes that present Workplace 365 customers who’re paying an annual cloud license do have the choice of “Microsoft 365 Basic,” an AI-free subscription at a cheaper price, however that many purchasers will not be supplied the choice till they try to cancel their present Workplace subscription.
In different safety patch information, Apple has shipped iOS 18.3.1, which fixes a zero day vulnerability (CVE-2025-24200) that’s exhibiting up in assaults.
Adobe has issued safety updates that repair a complete of 45 vulnerabilities throughout InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer and Photoshop Parts.
Chris Goettl at Ivant notes that Google Chrome is delivery an replace immediately which is able to set off updates for Chromium primarily based browsers together with Microsoft Edgeso be looking out for Chrome and Edge updates as we proceed by the week.
#Microsoft #Patch #Tuesday #February #Version #Krebs #Safety
Azeem Rajpoot, the author behind This Blog, is a passionate tech enthusiast with a keen interest in exploring and sharing insights about the rapidly evolving world of technology.
With a background in Blogging, Azeem Rajpoot brings a unique perspective to the blog, offering in-depth analyses, reviews, and thought-provoking articles. Committed to making technology accessible to all, Azeem strives to deliver content that not only keeps readers informed about the latest trends but also sparks curiosity and discussions.
Follow Azeem on this exciting tech journey to stay updated and inspired.
