Microsoft<\/strong> today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.<\/p>\n All supported Windows operating systems will receive an update this month for a buffer overflow vulnerability that carries the catchy name CVE-2025-21418<\/a>. This patch should be a priority for enterprises, as Microsoft says it is being exploited, has low attack complexity, and no requirements for user interaction.<\/p>\n Tenable<\/strong> senior staff research engineer Satnam Narang<\/strong> noted that since 2022, there have been nine elevation of privilege vulnerabilities in this same Windows component \u2014 three each year \u2014 including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193).<\/p>\n \u201cCVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems,\u201d Narang said. \u201cAt this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group.\u201d<\/p>\n The other zero-day, CVE-2025-21391<\/a>, is an elevation of privilege vulnerability in Windows Storage that could be used to delete files on a targeted system. Microsoft\u2019s advisory on this bug references something called \u201cCWE-59: Improper Link Resolution Before File Access,\u201d says no user interaction is required, and that the attack complexity is low.<\/p>\n Adam Barnett<\/strong>, lead software engineer at Rapid7<\/strong>, said although the advisory provides scant detail, and even offers some vague reassurance that \u2018an attacker would only be able to delete targeted files on a system,\u2019 it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service.<\/p>\n \u201cAs long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links,\u201dBarnett wrote.<\/span><\/p>\n One vulnerability patched today that was publicly disclosed earlier is CVE-2025-21377<\/a>, another weakness that could allow an attacker to elevate their privileges on a vulnerable Windows system. Specifically, this is yet another Windows flaw that can be used to steal NTLMv2 hashes \u2014 essentially allowing an attacker to authenticate as the targeted user without having to log in.<\/p>\n According to Microsoft, minimal user interaction with a malicious file is needed to exploit CVE-2025-21377, including selecting, inspecting or \u201cperforming an action other than opening or executing the file.\u201d<\/p>\n \u201cThis trademark linguistic ducking and weaving may be Microsoft\u2019s way of saying \u2018if we told you any more, we\u2019d give the game away,’\u201d Barnett said. \u201cAccordingly, Microsoft assesses exploitation as more likely.\u201d<\/p>\n The SANS Internet Storm Center<\/a> has a handy list of all the Microsoft patches released today, indexed by severity. Windows enterprise administrators would do well to keep an eye on askwoody.com<\/a>, which often has the scoop on any patches causing problems.<\/p>\n It\u2019s getting harder to buy Windows software that isn\u2019t also bundled with Microsoft\u2019s flagship Copilot artificial intelligence (AI) feature. Last month Microsoft started bundling Copilot with Microsoft Office 365<\/strong>, which Redmond has since rebranded as \u201cMicrosoft 365 Copilot<\/strong>.\u201d Ostensibly to offset the costs of its substantial AI investments, Microsoft also jacked up prices from 22 percent to 30 percent for upcoming license renewals and new subscribers.<\/p>\n Office-watch.com writes<\/a> that existing Office 365 users who are paying an annual cloud license do have the option of \u201cMicrosoft 365 Classic,\u201d an AI-free subscription at a lower price, but that many customers are not offered the option until they attempt to cancel their existing Office subscription.<\/p>\n In other security patch news, Apple<\/strong> has shipped iOS 18.3.1, which fixes a\u00a0zero day<\/a>\u00a0vulnerability (CVE-2025-24200) that is showing up in attacks.<\/p>\n Adobe<\/strong> has issued security updates that fix a total of 45 vulnerabilities across InDesign<\/strong>, Commerce<\/strong>, Substance 3D<\/strong> Stager<\/strong>, InCopy<\/strong>, Illustrator<\/strong>, Substance 3D Designer<\/strong> and Photoshop Elements<\/strong>.<\/p>\n Chris Goettl<\/strong> at Ivanti<\/strong> notes that Google Chrome<\/strong> is shipping an update today which will trigger updates for Chromium based browsers including Microsoft Edge<\/strong>, so be on the lookout for Chrome and Edge updates as we proceed through the week.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2021\/07\/windupate.png?resize=749%2C527&ssl=1\")
<\/p>\n