Microsoft Patch Tuesday, November 2025 Version – Krebs on Security

Microsoft this week pushed safety updates to repair greater than 60 vulnerabilities in its Windows working methods and supported software program, together with a minimum of one zero-day bug that’s already being exploited. Microsoft additionally fastened a glitch that prevented some Windows 10 customers from profiting from an additional 12 months of safety updates, which is good as a result of the zero-day flaw and different crucial weaknesses have an effect on all variations of Windows, together with Windows 10.

Affected merchandise this month embrace the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent. The zero-day menace issues a reminiscence corruption bug deep within the Windows innards known as CVE-2025-62215. Despite the flaw’s zero-day standing, Microsoft has assigned it an “important” score moderately than crucial, as a result of exploiting it requires an attacker to have already got entry to the goal’s gadget.

“These types of vulnerabilities are often exploited as part of a more complex attack chain,” mentioned Johannes Ullrich, dean of analysis for the SANS Technology Institute. “However, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.”

Ben McCarthy, lead cybersecurity engineer at Immersive, known as consideration to CVE-2025-60274, a crucial weak spot in a core Windows graphic part (GDI+) that’s utilized by a large variety of functions, together with Microsoft Office, internet servers processing photographs, and numerous third-party functions.

“The patch for this should be an organization’s highest priority,” McCarthy mentioned. “While Microsoft assesses this as ‘Exploitation Less Likely,’ a 9.8-rated flaw in a ubiquitous library like GDI+ is a critical risk.”

Microsoft patched a crucial bug in Office — CVE-2025-62199 — that may result in distant code execution on a Windows system. Alex Vovk, CEO and co-founder of Action1, mentioned this Office flaw is a excessive precedence as a result of it’s low complexity, wants no privileges, and might be exploited simply by viewing a booby-trapped message within the Preview Pane.

Many of the extra regarding bugs addressed by Microsoft this month have an effect on Windows 10, an working system that Microsoft formally ceased supporting with patches final month. As that deadline rolled round, nonetheless, Microsoft started providing Windows 10 customers an additional 12 months of free updates, as long as they register their PC to an energetic Microsoft account.

Judging from the feedback on final month’s Patch Tuesday put up, that registration labored for lots of Windows 10 customers, however some readers reported the choice for an additional 12 months of updates was by no means provided. Nick Carroll, cyber incident response supervisor at Nightwing, notes that Microsoft has lately launched an out-of-band replace to handle issues when trying to enroll within the Windows 10 Consumer Extended Security Update program.

“If you plan to participate in the program, make sure you update and install KB5071959 to address the enrollment issues,” Carroll mentioned. “After that is installed, users should be able to install other updates such as today’s KB5068781 which is the latest update to Windows 10.”

Chris Goettl at Ivanti notes that along with Microsoft updates immediately, third-party updates from Adobe and Mozilla have already been launched. Also, an replace for Google Chrome is anticipated quickly, which suggests Edge may also be in want of its personal replace.

The SANS Internet Storm Center has a clickable breakdown of every particular person repair from Microsoft, listed by severity and CVSS rating. Enterprise Windows admins concerned in testing patches earlier than rolling them out ought to regulate askwoody.com, which frequently has the thin on any updates gone awry.

As all the time, please don’t neglect to again up your knowledge (if not your total system) at common intervals, and be at liberty to hold forth within the feedback in case you expertise issues putting in any of those fixes.

[Author’s note: This post was intended to appear on the homepage on Tuesday, Nov. 11. I’m still not sure how it happened, but somehow this story failed to publish that day. My apologies for the oversight.]