Gandalf_The_Grey
Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,566
Welcome to the first Patch Tuesday of the new year. Even while preparing for Pwn2Own Automotive, the second Tuesday still brings with it a bevy of security updates from Adobe and Microsoft. Take a break from avoiding your New Year’s resolutions and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Adobe Patches for January 2025
For January, Adobe released five bulletins addressing 14 CVEs in Adobe Photoshop, Substance 3D Stager, Illustrator on iPad, Animate, and Substance 3D Designer. One of these bugs was reported through the Trend ZDI program. The patch for Substance 3D Stager is the largest with five Critical-rated bugs being fixed. The worst could lead to arbitrary code execution. The fix for Photoshop is also rated Critical and could result in code execution when opening malicious files. That’s also true for the patch for Adobe Illustrator on iPad. Note that this is specifically the iPad version and not the desktop version, which is interesting. The update for Substance 3D Designer addresses four Critical-rated bugs, all of which could lead to arbitrary code execution. Lastly, the patch for Adobe Animate fixes a single code execution bug.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for January 2025
This month, Microsoft released 159(!) new CVEs in Windows and Windows Components, Office and Office Components, Hyper-V, SharePoint Server, .NET and Visual Studio, Azure, BitLocker, Remote Desktop Services, and the Windows Virtual Trusted Platform Module. Three of these were submitted through the Trend ZDI program. With the addition of the third-party CVEs, the entire release tops out at 161 CVEs.
Of the patches released today, 11 are rated Critical, and the other 148 are rated Important in severity. This is the largest number of CVEs addressed in any single month since at least 2017 and is more than double the usual amount of CVEs fixed in January. This comes on the heels of a record number of December patches and could be an ominous sign for patch levels in 2025. It will be interesting to see how this year shapes up.
Five of these bugs are listed as publicly known, and three are listed as under active attack at the time of release.
Looking Ahead
The next Patch Tuesday of 2025 will be on February 11, and assuming I survive Pwn2Own Automotive, I’ll return with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Zero Day Initiative — The January 2025 Security Update Review
Welcome to the first Patch Tuesday of the new year. Even while preparing for Pwn2Own Automotive , the second Tuesday still brings with it a bevy of security updates from Adobe and Microsoft. Take a break from avoiding your New Year’s resolutions and join us as we review the details of their latest