The January 2025 Security Update Review

Welcome to the first Patch Tuesday of the new year. Even while preparing for Pwn2Own Automotive, the second Tuesday still brings with it a bevy of security updates from Adobe and Microsoft. Take a break from avoiding your New Year’s resolutions and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:

Adobe Patches for January 2025

For January, Adobe released five bulletins addressing 14 CVEs in Adobe Photoshop, Substance 3D Stager, Illustrator on iPad, Animate, and Substance 3D Designer. One of these bugs was reported through the Trend ZDI program. The patch for Substance 3D Stager is the largest with five Critical-rated bugs being fixed. The worst could lead to arbitrary code execution. The fix for Photoshop is also rated Critical and could result in code execution when opening malicious files. That’s also true for the patch for Adobe Illustrator on iPad. Note that this is specifically the iPad version and not the desktop version, which is interesting. The update for Substance 3D Designer addresses four Critical-rated bugs, all of which could lead to arbitrary code execution. Lastly, the patch for Adobe Animate fixes a single code execution bug.    

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for January 2025

This month, Microsoft released 159(!) new CVEs in Windows and Windows Components, Office and Office Components, Hyper-V, SharePoint Server, .NET and Visual Studio, Azure, BitLocker, Remote Desktop Services, and the Windows Virtual Trusted Platform Module. Three of these were submitted through the Trend ZDI program. With the addition of the third-party CVEs, the entire release tops out at 161 CVEs.

Of the patches released today, 11 are rated Critical, and the other 148 are rated Important in severity. This is the largest number of CVEs addressed in any single month since at least 2017 and is more than double the usual amount of CVEs fixed in January. This comes on the heels of a record number of December patches and could be an ominous sign for patch levels in 2025. It will be interesting to see how this year shapes up.

Five of these bugs are listed as publicly known, and three are listed as under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs currently being exploited:

-       CVE-2025-21333/CVE-2025-21334/CVE-2025-21335 - Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
These three bugs are listed as under active attack, and all have the same description. An authenticated user could use these to execute code with SYSTEM privileges. Although not specified, I would think that if the attacker were executing code at SYSTEM on the hypervisor from a guest, the CVSS would indicate a scope change. Microsoft doesn’t list that, but I’ve disagreed with their CVSS ratings in the past. If you are running Hyper-V, make sure these patches are at the top of your list for testing and deployment.

-       CVE-2025-21298 - Windows OLE Remote Code Execution Vulnerability
This bug rates a CVSS 9.8 and allows a remote attacker to execute code on a target system by sending a specially crafted mail to an affected system with Outlook. Fortunately, the preview pane is not an attack vector, but previewing an attachment could trigger the code execution. The specific flaw exists within the parsing of RTF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. As a mitigation, you can set Outlook to read all standard mail as plain text, but users will likely revolt against such a setting. The best option is to test and deploy this patch quickly.

-       CVE-2025-21295 - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
Besides being a mouthful of a title, this bug impacts a security mechanism, which is never a good sign. It allows remote, unauthenticated attackers to execute code on an affected system without user interaction. The only good news is that there are some barriers to exploitation, but I wouldn’t rely on that fact. I would also consider this a Scope Change, but that’s splitting hairs at this point. Even if you don’t rely on the negotiation mechanism, I wouldn’t wait to test and deploy this patch.

-       CVE-2025-21297/CVE-2025-21309 - Windows Remote Desktop Services Remote Code Execution Vulnerability
Both of these bugs allow arbitrary code execution on affected Remote Desktop Gateway servers from remote, unauthenticated attackers. They just need to connect to the server and trigger a race condition to create a use-after-free bug. While race conditions are somewhat tricky to exploit, we see them used at Pwn2Own frequently. Considering that exploiting this requires no user interaction, I would prioritize this patch, especially if you have these gateways exposed to the Internet.

-       CVE-2025-21308 - Windows Themes Spoofing Vulnerability
This is one of the five publicly known vulnerabilities receiving fixes this month, and for a change, we know where this one is exposed publicly. It turns out that a previous patch (CVE-2024-38030) could be bypassed. The spoofing component here is NTLM credential relaying. Consequently, systems with NTLM restricted are less likely to be exploited. At a minimum, you should be restricting outbound NTLM traffic to remote servers. Fortunately, Microsoft provides guidance on setting this up. Enable those restrictions then patch your systems.

Here’s the full list of CVEs released by Microsoft for January 2025:

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

Moving on to the other Critical-rated bugs, the vulnerability in Visual Studio requires a user to load a malicious package file. The bug in BranchCache is restricted to adjacent systems only. The bug in RMCAST requires a program listening on a Pragmatic General Multicast (PGM) port. Since there’s no authentication in PGM, these systems should not be exposed to the internet. However, on these systems, this bug is technically wormable – just only between systems configured in this manner. The NTLM bug is disturbing since it can be reached from the internet, but it only affects NTLMv1. You have updated everything to v2 – right? If not, Microsoft provides some guidance on making that happen. The bug in the Digest Authentication works in the same manner as the Remote Desktop bugs mentioned above. Finally, there a couple of other Critical bugs documented, but there’s no action for the end user as Microsoft already mitigated them.

There are almost 60 code execution bugs receiving fixes this month, including several open-and-own bugs in Office components. This includes three publicly known bugs in Access. Only one of these bugs can be hit from the Preview Pane by previewing attachments, and that is for legacy versions of Outlook for Mac. The Windows Telephony Service receives 28 patches this month. However, these require user interaction and are unlikely to be exploited. The bug in Direct Show requires an authenticated user to click a malicious link. Beyond the open-and-own bug in .NET and Visual Studio, the other code execution vulnerability in .NET requires extensive user interaction. The bug in GDI+ also requires the attacker to be authenticated. Finally, the bug in the Line Printer Daemon reminds me of the PrintNightmare bugs from a few years ago. An attacker would just need to send a specially crafted request to an affected system to gain arbitrary code execution on the server. And yes, that is an update for Internet Explorer you see. No matter how hard we try, we can’t be rid of the thing. At least it requires user interaction.

The January release includes more than three dozen privilege escalation bugs. However, most of these either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. There are some notable exceptions. More than half of these are for the Digital Media component and require the attacker to plug in a USB drive into an affected system. This would lead to code execution as SYSTEM. The bug in the Recovery Environment also requires physical access, but Microsoft provides no further information on how it would be exploited. Several of the EoP fixes this month are related to container or sandbox escapes. For example, the bugs in the Brokering File System can be executed in a low-privileged AppContainer but result in access beyond what is intended. The bugs in PrintWorkflowUserSvc also result in sandbox escapes. The remaining bugs lead to access beyond what is intended, but these are not likely to be exploited due to their access complexity.

There are a dozen different security feature bypass (SFB) bugs receiving fixes this month, and the one that immediately jumps out is the bypass of Mark of the Web (MoTW) protections. We saw this technique used often in 2024 by ransomware and crypto scammers. The bug in Excel evades macro protections. Similarly, the SFB in Office bypasses Windows Defender Application Control (WDAC) enforcement. There are multiple updates for this one, too, so make sure you get them all. The bugs in Secure Boot bypass – you guessed it – Secure Boot. They list the title as Kerberos, but the Windows Defender Credential Guard Feature is really what’s being bypassed, which could leak Kerberos credentials. The bugs bypassing MapUrlToZone and HTML Platform Security protections require user interaction. Microsoft provides no information on what is being bypassed in the Virtualization-Based Security (VBS) component, so let the speculation begin.

This release includes fixes for multiple information disclosure bugs and most simply result in info leaks consisting of unspecified memory contents. There are a few that also lead to the disclosure of the ever-nebulous “sensitive information.” However, there are some significant information disclosure bugs receiving fixes this month. The first is in the SAP HANA SSO for On-Premises Data Gateway, which could disclose PowerBI data available from the dashboard. A few of the Kernel bugs are special as well. They only disclose random heap memory, but they require multiple patches to fully resolve the vulnerability. The bug in the Cryptographic component could leak the contents of encrypted PKCS1 information. The most troubling are the bugs in BitLocker. One could disclose unencrypted hibernation images in cleartext, while the other leaks the BitLocker key. Both of these require physical access, but since BitLocker is specifically designed to block attackers with physical access, it makes these bugs rather unfortunate.

Microsoft must have heard our pleas because there is actually a small amount of detail given for the 20 Denial-of-Service (DoS) bugs being fixed this month. The bugs in Message Queuing impact the availability of the service when an attacker sends specially crafted packets to the service. That’s the same for the Connected Devices Platform Service (Cdpsvc). The bug in the IP Helper results in an application crash if specially crafted packets are received by the app. The bug in the Security Account Manager (SAM) would cause the app to crash, but it’s not clear if it would automatically restart. The bug in the TPM could result in a total loss of availability. Alas, we will need to cry louder, for that is all of the detail Microsoft provides regarding the DoS fixes this month.

Finally, there are three spoofing bugs fixed in the release. The bug in SmartScreen looks awfully familiar, as the researcher credited has reported several spoofing bugs in SmartScreen. This always makes me think the previous patches were insufficient. The spoofing bug in SharePoint presents as a cross-site scripting (XSS) bug. No real information is given about the spoofing bug in Active Directory Federation Server other than to say that user interaction is required.

No new advisories are being released this month.

Looking Ahead

The next Patch Tuesday of 2025 will be on February 11, and assuming I survive Pwn2Own Automotive, I’ll return with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!