Microsoft Patch January

Microsoft’s January 2025 Patch Tuesday delivers fixes for a record-breaking 161 security vulnerabilities across its software portfolio. The updates address 11 Critical and 149 Important severity vulnerabilities, alongside one unclassified flaw in Windows Secure Boot (CVE-2024-7344). This includes eight zero-day vulnerabilities, with three actively exploited in the wild. This update marks the largest number of CVEs addressed in a single month since 2017, underscoring the importance of immediate action.

Vulnerability Breakdown

The updates include:

• 40 Elevation of Privilege Vulnerabilities
• 14 Security Feature Bypass Vulnerabilities
• 58 Remote Code Execution Vulnerabilities
• 24 Information Disclosure Vulnerabilities
• 20 Denial of Service Vulnerabilities
• 5 Spoofing Vulnerabilities

The patches also address seven additional vulnerabilities in Microsoft Edge, fixed since December 2024’s updates.

Critical and Actively Exploited Vulnerabilities

Actively Exploited Zero-Days

1. CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 – Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerabilities

• Impact: Exploitation grants SYSTEM privileges.
• Details: These privilege escalation bugs target the Virtualization Service Provider (VSP) in Hyper-V’s root partition, potentially enabling post-compromise attacks. These flaws are now listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by February 4, 2025.

Publicly Disclosed Zero-Days

1. CVE-2025-21275 – Windows App Package Installer Elevation of Privilege Vulnerability

• Impact: Allows SYSTEM privilege escalation.
• Details: Exploitation involves manipulating the Windows App Package Installer. Reported anonymously.

2. CVE-2025-21308 – Windows Themes Spoofing Vulnerability

• Impact: Can leak NTLM hashes, enabling password cracking or pass-the-hash attacks.
• Mitigations:
  • Disable NTLM.
  • Enable the policy: “Restrict NTLM: Outgoing NTLM traffic to remote servers.”
• Credit: Discovered by Blaz Satler of 0patch.

3. CVE-2025-21186, CVE-2025-21366, CVE-2025-21395 – Microsoft Access Remote Code Execution Vulnerabilities

• Impact: Exploitation involves convincing users to open malicious Microsoft Access files.
• Details: Blocks email delivery of Access file types to mitigate risk. Discovered by Unpatched.ai.

Additional Critical Vulnerabilities

1. CVE-2025-21294 – Microsoft Digest Authentication RCE Vulnerability

• Impact: Exploitation involves a race condition creating a use-after-free scenario.

2. CVE-2025-21295 – SPNEGO NEGOEX Security Mechanism RCE Vulnerability

• Impact: Unauthenticated attackers can execute remote code.

3. CVE-2025-21298 – Windows OLE RCE Vulnerability

• Impact: Exploitation may occur when victims open or preview malicious emails.
• Mitigations:
  • Read email messages in plain text format.
  • Avoid opening RTF files from untrusted sources.

4. CVE-2025-21307 – Windows RMCAST Driver RCE Vulnerability

• Impact: Allows remote code execution through crafted network packets.

5. CVE-2025-21311 – Windows NTLM V1 Elevation of Privilege Vulnerability

• Impact: Exploitation enables attackers to elevate privileges via outdated authentication mechanisms.

Noteworthy Vulnerabilities

1. CVE-2025-21210 – Windows BitLocker Information Disclosure Vulnerability

• Impact: Hibernation images may expose sensitive data if attackers gain physical access to the hard disk.
• Details: Hibernation files can reveal credentials, PII, and session data.

Recommendations

1. Apply Updates Immediately: Patch systems to address actively exploited and critical vulnerabilities.
2. Secure Hyper-V Environments: Review configurations to minimize exposure to VSP-related risks.
3. Mitigate NTLM Risks: Disable NTLM or enable restrictive policies to protect against spoofing.
4. Block Risky File Types: Implement email filtering for vulnerable Microsoft Access files.
5. Enable Email Safeguards: Read emails in plain text and avoid interacting with suspicious RTF files.