Yesterday was January’s big Patch Tuesday, where Microsoft rolled out a big bundle of security updates across several apps and services, eliminating 159 security vulnerabilities.
This is the most extensive Patch Tuesday of the last few years with more than double the usual number of fixed security flaws. According to Microsoft, three of the patched Windows security vulnerabilities are already being exploited in the wild, and a further five vulnerabilities were already publicly known in advance.
Microsoft doesn’t offer much information on the vulnerabilities for self-searching in the Security Update Guide, but Dustin Childs dives into much more detail on the Zero Day Initiative blog with a slant for admins who manage corporate networks.
The next regular Patch Tuesday will be on February 11, 2025.
Windows vulnerabilities fixed
A large number of the vulnerabilities — 132 this time around — are spread across the various versions of Windows for which Microsoft still offers security updates (i.e., Windows 10, Windows 11, and Windows Server).
Get Windows 11 Pro for cheap
Windows 11 Pro
Although Windows 7 and 8.1 are no longer mentioned in these security reports, they could still be vulnerable. If you’re on these older versions of Windows and your system requirements allow it, you should definitely switch to Windows 10 or Windows 11 to keep getting security updates.
Windows under attack
According to Microsoft, three of the addressed Windows security vulnerabilities are actively being exploited. The more or less identical Hyper-V vulnerabilities CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 allow registered attackers to execute code from the guest system with system authorizations on the host. It isn’t known how widespread the attacks on these vulnerabilities currently are.
Critical Windows vulnerabilities
Microsoft classifies a total of eight Windows vulnerabilities as critical. CVE-2025-21298 in Windows OLE (CVSS 9.8) can be exploited via a specially crafted email if this email is opened with Outlook. Although the preview window isn’t a direct attack vector, the preview of a file attachment could lead to code being injected and executed.
In the Remote Desktop Services of a gateway server, CVE-2025-21297 and CVE-2025-21309 (CVSS 8.1) can be remotely attacked by attackers without user login. Although they have to win a race condition in order to exploit a use-after-free vulnerability, hackers can make that happen.
Microsoft has closed 28 similar RCE vulnerabilities (CVSS 8.8) in the Windows telephony service. They’re categorized as high risk and are apparently not being exploited yet.
Microsoft Office vulnerabilities fixed
Microsoft has eliminated 20 vulnerabilities in its Office products. These include a number of RCE vulnerabilities in Word, Excel, Outlook, OneNote, Visio, and SharePoint Server. Three RCE vulnerabilities in Access are considered zero-days.
Microsoft Edge vulnerabilities fixed
The latest security update for Microsoft’s Edge browser is version 131.0.2903.146 from January 10, based on Chromium 131.0.6778.265. However, apart from Microsoft’s update catalog, this update still isn’t documented anywhere by Microsoft.
Google has also released a new major version of Chrome that eliminates a number of vulnerabilities classified as high risk.
Login to add comment
Other posts in this group
It wasn’t that long ago that you could easily snap up a Chromecast wi
Windows 11 users have been grumbling about Remote Desktop Protocol (R
Could you fix your laptop if it breaks? And I mean physically fix it
It’s been 12 years since Grand Theft Auto V was originally r
