Security News ZDI: The January 2025 Security Update Review

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,566
Welcome to the first Patch Tuesday of the new year. Even while preparing for Pwn2Own Automotive, the second Tuesday still brings with it a bevy of security updates from Adobe and Microsoft. Take a break from avoiding your New Year’s resolutions and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Adobe Patches for January 2025

For January, Adobe released five bulletins addressing 14 CVEs in Adobe Photoshop, Substance 3D Stager, Illustrator on iPad, Animate, and Substance 3D Designer. One of these bugs was reported through the Trend ZDI program. The patch for Substance 3D Stager is the largest with five Critical-rated bugs being fixed. The worst could lead to arbitrary code execution. The fix for Photoshop is also rated Critical and could result in code execution when opening malicious files. That’s also true for the patch for Adobe Illustrator on iPad. Note that this is specifically the iPad version and not the desktop version, which is interesting. The update for Substance 3D Designer addresses four Critical-rated bugs, all of which could lead to arbitrary code execution. Lastly, the patch for Adobe Animate fixes a single code execution bug.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for January 2025

This month, Microsoft released 159(!) new CVEs in Windows and Windows Components, Office and Office Components, Hyper-V, SharePoint Server, .NET and Visual Studio, Azure, BitLocker, Remote Desktop Services, and the Windows Virtual Trusted Platform Module. Three of these were submitted through the Trend ZDI program. With the addition of the third-party CVEs, the entire release tops out at 161 CVEs.

Of the patches released today, 11 are rated Critical, and the other 148 are rated Important in severity. This is the largest number of CVEs addressed in any single month since at least 2017 and is more than double the usual amount of CVEs fixed in January. This comes on the heels of a record number of December patches and could be an ominous sign for patch levels in 2025. It will be interesting to see how this year shapes up.

Five of these bugs are listed as publicly known, and three are listed as under active attack at the time of release.
Looking Ahead

The next Patch Tuesday of 2025 will be on February 11, and assuming I survive Pwn2Own Automotive, I’ll return with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
 
  • +Reputation
Reactions: silversurfer

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,566
Ghacks: The Windows security updates for January 2025 are now available
Same procedure as every year. Microsoft released the first batch of security updates of 2025 a moment ago. Security updates are available for all supported client and server versions of Windows and also other company products, including Microsoft Office.

Our overview of the monthly security updates provides users and system administrators with information and actionable advice. It pulls information from various sources, including several official Microsoft websites and official release notes.

You find, among other things, a list of known issues, direct download links, the list of major changes, a security assessment, and more in the paragraphs that follow.

You may download the following Excel spreadsheet to get a list of released updates. Click on the following link to download the archive to the local device: Windows Security Updates January 2025 Excel
 

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,566
Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
Today is Microsoft's January 2025 Patch Tuesday, which includes security updates for 159 flaws, including eight zero-day vulnerabilities, with three actively exploited in attacks.

This Patch Tuesday also fixes twelve "Critical" vulnerabilities, including information disclosure, privileges elevation, and remote code execution flaws.

The number of bugs in each vulnerability category is listed below:
  • 40 Elevation of Privilege Vulnerabilities
  • 14 Security Feature Bypass Vulnerabilities
  • 58 Remote Code Execution Vulnerabilities
  • 24 Information Disclosure Vulnerabilities
  • 20 Denial of Service Vulnerabilities
  • 5 Spoofing Vulnerabilities
 
  • Like
Reactions: harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top