Microsoft<\/strong> this week pushed security updates to fix more than 60 vulnerabilities in its Windows<\/strong> operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10<\/strong> users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses patched today affect all versions of Windows, including Windows 10.<\/p>\n Affected products this month include the Windows OS, Office<\/strong>, SharePoint<\/strong>, SQL Server<\/strong>, Visual Studio<\/strong>, GitHub Copilot<\/strong>, and Azure Monitor Agent<\/strong>. The zero-day threat concerns a memory corruption bug deep in the Windows innards called CVE-2025-62215<\/a>. Despite the flaw\u2019s zero-day status, Microsoft has assigned it an \u201cimportant\u201d rating rather than critical, because exploiting it requires an attacker to already have access to the target\u2019s device.<\/p>\n \u201cThese types of vulnerabilities are often exploited as part of a more complex attack chain,\u201d said Johannes Ullrich<\/strong>, dean of research for the SANS Technology Institute<\/strong>. \u201cHowever, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.\u201d<\/p>\n Ben McCarthy<\/strong>, lead cybersecurity engineer at Immersive<\/strong>, called attention to CVE-2025-60274<\/a>, a critical weakness in a core Windows graphic component (GDI+) that is used by a massive number of applications, including Microsoft Office, web servers processing images, and countless third-party applications.<\/p>\n \u201cThe patch for this should be an organization\u2019s highest priority,\u201d McCarthy said. \u201cWhile Microsoft assesses this as \u2018Exploitation Less Likely,\u2019 a 9.8-rated flaw in a ubiquitous library like GDI+ is a critical risk.\u201d<\/p>\n Microsoft patched a critical bug in Office<\/strong> \u2014 CVE-2025-62199<\/a> \u2014 that can lead to remote code execution on a Windows system. Alex Vovk<\/strong>, CEO and co-founder of Action1<\/strong>, said this Office flaw is a high priority because it is low complexity, needs no privileges, and can be exploited just by viewing a booby-trapped message in the Preview Pane.<\/span><\/p>\n Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month. As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft account.<\/p>\n Judging from the comments on last month\u2019s Patch Tuesday post<\/a>, that registration worked for a lot of Windows 10 users, but some readers reported the option for an extra year of updates was never offered. Nick Carroll<\/strong>, cyber incident response manager at Nightwing<\/strong>, notes that\u00a0Microsoft has recently released an out-of-band update to address issues when trying to enroll<\/a> in the Windows 10 Consumer Extended Security Update program.<\/p>\n \u201cIf you plan to participate in the program, make sure you update and install KB5071959<\/a> to address the enrollment issues,\u201d Carroll said. \u201cAfter that is installed, users should be able to install other updates such as today\u2019s KB5068781 which is the latest update to Windows 10.\u201d<\/p>\n Chris Goettl<\/strong> at Ivanti <\/strong>notes that in addition to Microsoft updates today, third-party updates from Adobe<\/strong> and Mozilla<\/strong> have already been released. Also, an update for Google Chrome<\/strong> is expected soon, which means Edge<\/strong> will also be in need of its own update.<\/p>\n The\u00a0SANS Internet Storm Center<\/strong>\u00a0has a\u00a0clickable breakdown<\/a>\u00a0of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on\u00a0askwoody.com<\/a>, which often has the skinny on any updates gone awry.<\/p>\n As always, please don\u2019t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.<\/p>\n [Author\u2019s note: This post was intended to appear on the homepage on Tuesday, Nov. 11. I\u2019m still not sure how it happened, but somehow this story failed to publish that day. My apologies for the oversight.]<\/em><\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2021\/07\/windupate.png?resize=750%2C528&ssl=1\")
<\/p>\n