News: 1739329091

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

February's Patch Tuesday sees Microsoft offer just 63 fixes

(2025/02/12)


Patch Tuesday Microsoft’s February patch collection is mercifully smaller than January’s mega-dump. But don't get too relaxed – some deserve close attention, and other vendors have stepped in with plenty more fixes.

Of the [1]63 patches (including six released earlier in the month) Microsoft announced, two are already being exploited.

Both require attackers to be local and authenticated. One is [2]CVE-2025-21418 : A CVSS 7.8-scored elevation of privilege vulnerability in the Windows Ancillary Function Driver for Winsock that allows an attacker to execute a specially crafted program to gain SYSTEM-level privileges. The flaw affects machines running Windows 10, 11, and various versions of Windows Server.

[3]

The other: [4]CVE-2025-21391 , a CVSS 7.1-rated elevation of privilege vulnerability in Windows Storage that means a local attacker can delete files under limited and vague conditions. As Windows Storage is present in Windows Server, that raises the possibility that data apps rely on could be deleted.

[5]

[6]

Microsoft also detailed two issues that are publicly known, even if they haven't yet been exploited. Those of you with Surface kit - a laptop or tablet – may wish to consider fixing [7]CVE-2025-21194 , a 7.1-rated vulnerability that means some PCs are susceptible to compromise of the hypervisor and the secure kernel.

Hypervisor compromises are very nasty, but Microsoft says exploiting this flaw “requires multiple conditions to be met, such as specific application behavior, user actions, manipulation of parameters passed to a function, and impersonation of an integrity level token.”

[8]

The other known vulnerability is [9]CVE-2025-21377 , which could leak a user's NTLMv2 hash. What makes this CVSS 6.5 flaw particularly annoying is that the user doesn't need to do much—simply selecting the file (single-click), right-clicking to inspect it, or performing another action short of opening or executing it can trigger the vulnerability.

[10]Google: How to make any AMD Zen CPU always generate 4 as a random number

[11]Google patches odd Android kernel security bug amid signs of targeted exploitation

[12]Don't want your Kubernetes Windows nodes hijacked? Patch this hole now

[13]Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management

Microsoft’s highest-scored February flaw is [14]CVE-2025-21198 , which earned a 9.0 CVSS rating. This one could have serious consequences for high-performance computing infrastructure by allowing remote code execution. The attacker would need access to the network connecting machines in a targeted HPC cluster, but once exploited, this flaw could extend to other clusters and nodes within the same network.

"An attacker could exploit this vulnerability by sending a specially crafted HTTPS request to the targeted head node or Linux compute node granting them the ability to perform RCE on other clusters or nodes connected to the targeted head node," Microsoft warned.

Excel received five patches this month - all rated 7.8 – with one deemed a critical patching priority by Redmond and four classed as important. [15]CVE-2025-21381 is the one Microsoft wants you to fix first as it allows remote code execution, though technically classified as a local attack. The "remote" aspect refers to how the attacker delivers the malicious file to abuse the bug. In this case, an attacker could use social engineering to trick a victim into opening a specially crafted file, leading to arbitrary code execution.

Microsoft also urges attention to [16]CVE-2025-21379 , a flaw in the DHCP Client Service for all builds of Windows. The 7.1-rated bug is hard to exploit and requires an attacker to thoroughly map the network and execute a machine-in-the-middle (MITM) attack with precision. If an attacker can do that, they may be deep in your infrastructure by the time they get around to targeting this flaw.

Domain controllers get tough

Admins should be on alert as Microsoft’s changes to certificate-based authentication on domain controllers come into force on February 11.

"By February 2025, if the StrongCertificateBindingEnforcement registry key is not configured, domain controllers will move to Full Enforcement mode. Otherwise, the registry keys Compatibility mode setting will continue to be honored," Redmond [17]warned in an advisory.

"In Full Enforcement mode, if a certificate fails the strong (secure) mapping criteria (see Certificate mappings), authentication will be denied. However, the option to move back to Compatibility mode will remain until September 2025."

In practice, this means some certificate mappings may need to be reconfigured, especially if certificates contain conflicts like User Principal Names (UPNs) overlapping with sAMAccountNames or missing dollar signs at the end of machine names.

After installing the patches, keep an eye on audit logs for unusual Event IDs that might indicate problematic certificates—these will be your early warning system.

Technically [18]CVE-2025-21177 , a CVSS 8.7 flaw that allows an elevation of privileges attack against Dynamics 365, is also rated critical by Microsoft. Thankfully, however, Redmond has already fully mitigated this vulnerability, and there's no action required from users.

If you're a Windows Telephony user, six patches await - all ranked as important by Redmond and with CVSS scores of 8.8. For Office users, Microsoft has patched multiple vulnerabilities, including a couple of remote code execution flaws and a spoofing vulnerability affecting the suite.

Other vendors patch, too

It wouldn't be a Patch Tuesday without Adobe adding to the load with 45 patches - although unusually there's no patches for Acrobat this month.

31 of the patches apply to [19]Adobe Commerce , to fix cross-site scripting (XSS) bugs, security feature bypasses, and Critical-rated code execution flaws. Users of the open source Magneto software should prioritize these updates, as that project remains a frequent target of attacks.

[20]

[21]InDesign gets seven bug fixes, four of them rated critical, while [22]Illustrator's three critical-rated bugs could lead to arbitrary code execution when opening a malicious file.

[23]Substance 3D and [24]InCopy both receive a single critical-rated code execution fix, while [25]Photoshop is patched for an important-rated privilege escalation flaw, applicable to macOS on Arm.

SAP [26]pushed out 21 individual patches, ranging in CVSS score from 8.8 to 3.1. The bulk apply to NetWeaver, including a cross-site scripting issue. Additionally, SAP’s Enterprise Project Connection gets a patch that fixes multiple problems.

Fortinet has issued security updates for multiple products, notably addressing a [27]critical authentication bypass vulnerability in FortiOS and FortiProxy. With a CVSS score of 9.6, this one looks like a strong candidate to be applied in your next change window. ®

Get our [28]Tech Resources



[1] https://msrc.microsoft.com/update-guide/releaseNote/2025-Feb

[2] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-21418

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z6wq9ArroCZoV3csRxd36gAAAIU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-21391

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z6wq9ArroCZoV3csRxd36gAAAIU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z6wq9ArroCZoV3csRxd36gAAAIU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-21194

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z6wq9ArroCZoV3csRxd36gAAAIU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[9] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-21377

[10] https://www.theregister.com/2025/02/04/google_amd_microcode/

[11] https://www.theregister.com/2025/02/04/google_android_patch_netgear/

[12] https://www.theregister.com/2025/01/24/kubernetes_windows_nodes_bug/

[13] https://www.theregister.com/2025/01/23/cisco_fixes_critical_bug/

[14] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-21198

[15] https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21381

[16] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-21379

[17] https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

[18] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21177

[19] https://helpx.adobe.com/security/products/magento/apsb25-08.html

[20] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z6wq9ArroCZoV3csRxd36gAAAIU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[21] https://helpx.adobe.com/security/products/indesign/apsb25-01.html

[22] https://helpx.adobe.com/security/products/illustrator/apsb25-11.html

[23] https://helpx.adobe.com/security/products/substance3d_stager/apsb25-09.html

[24] https://helpx.adobe.com/security/products/incopy/apsb25-10.html

[25] https://helpx.adobe.com/security/products/photoshop_elements/apsb25-13.html

[26] https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html

[27] https://www.fortiguard.com/psirt/FG-IR-24-535

[28] https://whitepapers.theregister.com/



Yorick Hunt

Their fixes are always small in number - the big question is, how many things did they break?

leak a user's NTLMv2

david 12

Although I haven't been able to find any information -- none at all --, it is likely that the 'file' is a shortcut, (.lnk), pointing to some offsite location, and that Windows is attempting to authenticate against that offsite location. Potentially there are other ways of doing the same thing (shell scraps, etc)., some of which might be non-obvious.

If anybody finds more discussion, I'm curious.

Brief History Of Linux (#1)
Re-Inventing the Wheel

Our journey through the history of Linux begins ca. 28000 B.C. when a
large all-powerful company called MoogaSoft monopolized the wheel-making
industry. As founder of the company, Billga Googagates (rumored to be the
distant ancestor of Bill Gates) was the wealthiest man in the known world,
owning several large rock huts, an extravagant collection of artwork (cave
paintings), and a whole army of servants and soldiers.

MoogaSoft's unfair business practices were irritating, but users were
unable to do anything about them, lest they be clubbed to death by
MoogaSoft's army. Nevertheless, one small group of hobbyists finally got
fed up and starting hacking their own wheels out of solid rock. Their
spirit of cooperation led to better and better wheels that eventually
outperformed MoogaSoft offerings.

MoogaSoft tried desperately to stop the hobbyists -- as shown by the
recently unearthed "Ooga! Document" -- but failed. Ironically, Billga
Googagates was killed shortly afterwards when one his own 900-pound wheels
crushed him.