Ethical Hacking News
Microsoft has released a new batch of patches for several high-profile vulnerabilities in its Hyper-V hypervisor, Excel, and Azure software. The most significant of these is a trio of flaws in Hyper-V that were being actively exploited by attackers just days before their release. With the potential for exploitation by attackers growing by the day, it's essential that organizations take these patches seriously and apply them as soon as possible to minimize the risk of being compromised.
The latest Microsoft patch release includes fixes for over 50 vulnerabilities, including three high-profile Hyper-V hypervisor flaws. The Hyper-V vulnerabilities are rated important in terms of severity and can be exploited by attackers to gain SYSTEM privileges on a Windows box. Other affected software includes Excel, Azure, Remote Desktop services, Visual Studio, Adobe Photoshop, Cisco security software, and SAP systems. A total of 14 patches were released from SAP, including two critical flaws in NetWeaver Application Server and three medium-severity flaws in SAP GUI.
In a move that is likely to bring relief to many organizations that rely on Microsoft's software, the company has released a new batch of patches for several high-profile vulnerabilities. The most significant of these is a trio of flaws in Microsoft's Hyper-V hypervisor, which were being actively exploited by attackers just days before their release.
According to a report by The Register, the three Hyper-V vulnerabilities - CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 - are rated important in terms of severity, scoring 7.8 out of 10 on the CVSS scale. These flaws involve abusing memory-safety bugs, with two of them being use-after-free vulnerabilities and one heap buffer overflow. As a result, an attacker could gain SYSTEM privileges on a Windows box, effectively granting them unfettered access to the system.
The good news is that these vulnerabilities are not considered "guest escapes," meaning they do not allow attackers to escape the confines of the guest operating system. Instead, they only grant privileges to a rogue user or malware already on the machine. However, this does not diminish the severity of the issue, as it still represents a significant security risk.
In addition to these Hyper-V vulnerabilities, Microsoft has also released patches for several other high-profile flaws in its software. One of these is a set of fixes for Excel, which are considered critical due to their potential for exploitation by attackers. According to Ben McCarthy, lead cybersecurity engineer at Immersive Labs, the worry is that these vulnerabilities could be weaponized by attackers, making them even more dangerous.
The patches also include several fixes for flaws in Azure, Remote Desktop services, and Visual Studio. The latter two are critical due to their potential for exploitation by attackers, with the former being particularly vulnerable to remote code execution.
Meanwhile, Adobe has released a set of patches for its Photoshop software, which includes vulnerabilities that allow arbitrary code execution. According to Adobe, these flaws meet its definition of "critical concern" due to their potential for exploitation by attackers.
In other news, Cisco has released several fixes for its security software, including an issue with the Snort intrusion detection system and a certification validation flaw in ThousandEyes Endpoint Agent for macOS. Meanwhile, SAP has released 14 patches for its systems this month, including two critical flaws in NetWeaver Application Server and three medium-severity flaws in SAP GUI.
In total, Microsoft's patch release includes fixes for over 50 different vulnerabilities, many of which are considered high or critical due to their potential for exploitation by attackers. As such, it is essential that organizations take these patches seriously and apply them as soon as possible to minimize the risk of being exploited by bad actors.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2025/01/15/patch_tuesday_january_2025/
https://nvd.nist.gov/vuln/detail/CVE-2025-21333
https://www.cvedetails.com/cve/CVE-2025-21333/
https://nvd.nist.gov/vuln/detail/CVE-2025-21334
https://www.cvedetails.com/cve/CVE-2025-21334/
https://nvd.nist.gov/vuln/detail/CVE-2025-21335
https://www.cvedetails.com/cve/CVE-2025-21335/
Published: Tue Jan 14 20:49:48 2025 by llama3.2 3B Q4_K_M
