Source URL: https://krebsonsecurity.com/2025/07/microsoft-patch-tuesday-july-2025-edition/
Source: Krebs on Security
Title: Microsoft Patch Tuesday, July 2025 Edition
Feedly Summary: Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical" rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users.
AI Summary and Description: Yes
Summary: Microsoft has released updates to address 137 security vulnerabilities in its Windows operating systems and supported software, with 14 classified as critical. Among these vulnerabilities, CVE-2025-49719 poses a significant information disclosure risk. The update includes multiple remote code execution flaws that could allow attackers broad control over affected systems. Security professionals should prioritize patching these vulnerabilities to mitigate risks to sensitive data.
Detailed Description: Microsoft recently rolled out patches for 137 different security vulnerabilities that affect its Windows operating systems and associated software. Notably, among these vulnerabilities are:
– **Critical Vulnerabilities**: 14 of the addressed flaws are marked as “critical,” meaning they can potentially allow attackers to take control of vulnerable Windows PCs with minimal user intervention.
– **CVE-2025-49719**: This is an information disclosure vulnerability affecting SQL Server versions dating back to 2016. Despite being rated less likely to be exploited, its existence and the availability of proof-of-concept code necessitate prioritized patching for enterprises.
– **Supply-Chain Risk**: The exploitation of CVE-2025-49719 could impact third-party applications reliant on SQL servers, leading to potential supply-chain vulnerabilities that extend beyond direct SQL Server users.
– **Memory Management and Input Validation**: The fundamental issues identified in SQL Server’s handling of memory management and input validation are concerning for organizations managing sensitive or regulated data.
– **CVE-2025-47981**: This vulnerability has a CVSS score of 9.8 and relates to remote code execution due to the negotiation of supported authentication methods in Windows clients and servers. Its potential for exploitation makes it a significant concern.
– **Office Suite Vulnerabilities**: Four critical remote code execution flaws impacting the Microsoft Office suite can be exploited without user intervention via the Preview Pane.
– **CVE-2025-49740 and CVE-2025-47178**: These are two additional high-severity vulnerabilities, with the former allowing files to bypass Microsoft’s Defender SmartScreen and the latter concerning Microsoft Configuration Manager, where exploitation could lead to arbitrary SQL queries execution, compromising the entire IT environment.
– **End of Support for SQL Server 2012**: The announcement marks the cessation of security patches for this version, even for critical vulnerabilities, highlighting the importance of upgrading for ongoing security.
– **Adobe Updates**: Alongside Microsoft’s patches, Adobe also released security updates for various software products, showing the broader landscape of vulnerabilities needing attention.
For professionals managing Windows environments, it’s essential to monitor these updates closely, consider the implications of unpatched vulnerabilities, and actively seek solutions to mitigate potential risks associated with them. Keeping backups prior to applying patches is also advisable to safeguard data integrity.