Security News ZDI: The February 2025 Security Update Review

[Gandalf_The_Grey]

Content source

https://www.zerodayinitiative.com/blog/2025/2/11/the-february-2025-security-update-review

We’ve survived Pwn2Own Automotive and made it to the second Patch Tuesday of 2025. As always, Microsoft and Adobe have released their latest security patches. Take a break from your scheduled activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:

Adobe Patches for February 2025

For February, Adobe released seven bulletins addressing 45 CVEs in Adobe InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer, and Adobe Photoshop Elements. The largest by far is the update for Commerce with 31 CVEs addressed. While there are some cross-site scripting (XSS) bugs addressed, there are also some security feature bypasses and Critical-rated code execution bugs, too. The update for InDesign fixes seven bugs, four of which are rated Critical. The three bugs in Illustrator are also rated Critical and could lead to arbitrary code execution when opening a malicious file.

The patch for Substance 3D Stager fixes a single DoS bug. The fix for InCopy is also a single bug, but this one is a Critical-rated code execution. That’s the same case of the Substance 3D Designer patch. The final Adobe patch for February covers an Important-rated privilege escalation in Photoshop Elements.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for February 2025

This month, Microsoft released 57 new CVEs in Windows and Windows Components, Office and Office Components, Azure, Visual Studio, and Remote Desktop Services. Two of these were submitted through the Trend ZDI program. With the addition of the third-party CVEs, the entire release tops out at 67 CVEs.

Of the patches released today, three are rated Critical, 53 are rated Important, and one is rated Moderate in severity. After a couple of record-breaking releases, this volume of fixes is more in line with expectations. Let’s hope this trend, rather than monster releases, remains the norm for 2025.

Two of these bugs are listed as publicly known, and two others are listed as under active attack at the time of release.

...

Looking Ahead

The next Patch Tuesday of 2025 will be on March 11, and I’ll return with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Zero Day Initiative — The February 2025 Security Update Review

We’ve survived Pwn2Own Automotive and made it to the second Patch Tuesday of 2025. As always, Microsoft and Adobe have released their latest security patches. Take a break from your scheduled activities and join us as we review the details of their latest security alerts. If you’d rather watch the f

www.zerodayinitiative.com

 

[Gandalf_The_Grey]

Bleeping Computer:

Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws

Today is Microsoft's February 2025 Patch Tuesday, which includes security updates for 55 flaws, including four zero-day vulnerabilities, with two actively exploited in attacks.

www.bleepingcomputer.com

Ghacks:

The Windows security updates for February 2025 are now available - gHacks Tech News

Microsoft has released security updates for Windows. Our overview provides you with information about the releases and actionable advice.

www.ghacks.net