Microsoft’s big Patch Tuesday fixes over twice as many security flaws as usual

Yesterday was January’s big Patch Tuesday, where Microsoft rolled out a big bundle of security updates across several apps and services, eliminating 159 security vulnerabilities.

This is the most extensive Patch Tuesday of the last few years with more than double the usual number of fixed security flaws. According to Microsoft, three of the patched Windows security vulnerabilities are already being exploited in the wild, and a further five vulnerabilities were already publicly known in advance.

Microsoft doesn’t offer much information on the vulnerabilities for self-searching in the Security Update Guide, but Dustin Childs dives into much more detail on the Zero Day Initiative blog with a slant for admins who manage corporate networks.

The next regular Patch Tuesday will be on February 11, 2025.

Windows vulnerabilities fixed

A large number of the vulnerabilities — 132 this time around — are spread across the various versions of Windows for which Microsoft still offers security updates (i.e., Windows 10, Windows 11, and Windows Server).

Get Windows 11 Pro for cheap

Windows 11 Pro

Price When Reviewed: 69,99 Euro

Best Prices Today: 49,99 € at PC-WELT Software-Shop – Windows 11 Home | 69,99 € at PC-WELT Software-Shop – Windows 11 Pro

Although Windows 7 and 8.1 are no longer mentioned in these security reports, they could still be vulnerable. If you’re on these older versions of Windows and your system requirements allow it, you should definitely switch to Windows 10 or Windows 11 to keep getting security updates.

Windows under attack

According to Microsoft, three of the addressed Windows security vulnerabilities are actively being exploited. The more or less identical Hyper-V vulnerabilities CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 allow registered attackers to execute code from the guest system with system authorizations on the host. It isn’t known how widespread the attacks on these vulnerabilities currently are.

Critical Windows vulnerabilities

Microsoft classifies a total of eight Windows vulnerabilities as critical. CVE-2025-21298 in Windows OLE (CVSS 9.8) can be exploited via a specially crafted email if this email is opened with Outlook. Although the preview window isn’t a direct attack vector, the preview of a file attachment could lead to code being injected and executed.

In the Remote Desktop Services of a gateway server, CVE-2025-21297 and CVE-2025-21309 (CVSS 8.1) can be remotely attacked by attackers without user login. Although they have to win a race condition in order to exploit a use-after-free vulnerability, hackers can make that happen.

Microsoft has closed 28 similar RCE vulnerabilities (CVSS 8.8) in the Windows telephony service. They’re categorized as high risk and are apparently not being exploited yet.

Microsoft Office vulnerabilities fixed

Microsoft has eliminated 20 vulnerabilities in its Office products. These include a number of RCE vulnerabilities in Word, Excel, Outlook, OneNote, Visio, and SharePoint Server. Three RCE vulnerabilities in Access are considered zero-days.

Microsoft Edge vulnerabilities fixed

The latest security update for Microsoft’s Edge browser is version 131.0.2903.146 from January 10, based on Chromium 131.0.6778.265. However, apart from Microsoft’s update catalog, this update still isn’t documented anywhere by Microsoft.

Google has also released a new major version of Chrome that eliminates a number of vulnerabilities classified as high risk.