Zero Day Initiative | Blog
Follow
The January 2025 Security Update Review
Adobe has released five security bulletins addressing 14 CVEs in various products, including Photoshop, Substance 3D Stager, Illustrator on iPad, Animate, and Substance 3D Designer. None of the bugs fixed by Adobe this month are listed as publicly known or under active attack. Microsoft has released 159 new CVEs in various products, including Windows, Office, Hyper-V, SharePoint Server, .NET, and Visual Studio. Three of these CVEs were submitted through the Trend ZDI program. 11 of the patches released by Microsoft are rated Critical, and the other 148 are rated Important in severity. Five of the bugs are listed as publicly known, and three are listed as under active attack. The most critical vulnerabilities include those in Windows Hyper-V, Windows OLE, SPNEGO Extended Negotiation, and Windows Remote Desktop Services. These vulnerabilities could allow arbitrary code execution, elevation of privilege, and remote code execution. It is recommended to prioritize patching these vulnerabilities, especially if you have systems exposed to the internet. The large number of CVEs addressed this month may be an ominous sign for patch levels in 2025.