Send Link mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.anu.edu.au/mailman/listinfo/link
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Link digest..."
Today's Topics:
1. Microsoft enjoys first Patch Tuesday of 2025 with no active
exploits (Stephen Loosley)
----------------------------------------------------------------------
Message: 1
Date: Thu, 10 Jul 2025 19:15:54 +0930
From: Stephen Loosley <[email protected]>
To: "link" <[email protected]>
Subject: [LINK] Microsoft enjoys first Patch Tuesday of 2025 with no
active exploits
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
Microsoft enjoys first Patch Tuesday of 2025 with no active exploits
Sure, 130 fixes were sent out, but bask in the security goodness
iconIain Thomson Tue 8 Jul 2025 // 23:01 UTC
https://www.theregister.com/2025/07/08/microsoft_patch_tuesday/
For the first time this year, Microsoft has released a Patch Tuesday bundle
with no exploited security problems, although one has been made public already,
and there are ten critical flaws to fix.
July's software flaw fix package includes 130 patches with none exploited and
only one earning a CVSS score of over nine - CVE-2025-47981. This critical
issue comes with a 9.8 score and breaks Microsoft's Simple and Protected
GSS-API Negotiation Mechanism (SPNEGO) security protocols with a heap-based
buffer overflow that would allow remote code execution.
Of the other nine new critical issues, four are in Office, which last month had
a major patching update and gets more this month. In July's fixes, four flaws
allow for remote code execution in the Office bundle. In all, Office gets 16
patches this week, but those four should be on the list of first to fix.
CVE-2025-49695 - An ugly use-after-free issue that is thankfully limited to a
user with local access.
CVE-2025-49696 - Another locally exploitable issue that has a nasty twist.
CVE-2025-49697 - A nasty buffer overflow issue that earns a CVSS 8.4 rating.
CVE-2025-49702 - This type confusion requires a user being tricked into opening
a malicious file, but that's not too hard.
CVE-2025-49696 is particularly worrisome, since it can be exploited via the
Preview Pane in Office, meaning no serious user action is required. It allows
the combination of an out-of-bounds read and heap-based buffer overflow for an
attack that requires no authentication to carry off.
If you're running an AMD processor, there are a couple of fixes that should
also be on the priority list, since Redmond has highlighted them in the
roundup. The early EPYC and Ryzen chips are all listed as needing an update,
but the chances of exploitation are less likely. Microsoft also included a
previously exploited flaw in the Chromium engine, CVE-2025-6554, that was
released earlier this month.
One of the other critical bugs is in SQL, the most serious of three patched in
Microsoft's database platform. CVE-2025-49717 allows remote code execution
using a buffer overflow, but Redmond rates it as less likely for exploitation
since exploitation would take a complex attack, albeit with no user interaction
required.
* CitrixBleed 2 exploits are on the loose as security researchers yell and wave
their hands
* Cisco scores a perfect 10 - sadly for a critical flaw in its comms platform
* CISA warns the Signal clone used by natsec staffers is being attacked, so
patch now
* Cisco fixes two critical make-me-root bugs on Identity Services Engine
components
There were 16 additional flaws fixed in Windows Routing and Remote Access
Service, all considered at low risk of exploitation, but which still need to be
patched. There are also five fixes for Microsoft's BitLocker encryption system,
four of them listed by Redmond as more likely to be exploited, which if used
improperly could be used to harvest data without the usual security checks.
And the best of the rest
As ever, Adobe has been piggybacking off Microsoft's patching session with a
bundle of patches, the most serious of which are for ColdFusion, and Experience
Manager Forms. These two applications need to be updated as a priority, Adobe
said.
The former includes 13 patches, five of them ranked as critical, including a
CVSS 9.3 issue that would allow data examination by an attacker. In the case of
Experience Manager Forms, there's just a single flaw to be fixed, but it's a
CVSS 9.8 that would allow code to be executed on a target system. Experience
Manager Screens also picks up a couple of important patches.
As for the rest of Adobe's offerings, unusually there were no patches for
either Reader or Photoshop this month. However, FrameMaker got 15 patches (13
of them critical) and Illustrator got ten patches today, including seven
criticals.
Elsewhere, there were six critical flaws to get fixed in InDesign, and three
criticals for InCopy, all with a CVSS 7.8 score. There are also three patches
for Substance 3D Viewer, including a single critical fix. After Effects picks
up a couple of important updates, as does Dimension, and there's a singleton
apiece for Audition, Substance 3D Stager, and Connect.
In another unusual instance this month, Google released no Android security
updates. That might be explained by the fact that Android Version 16 was
released last month and contains a lot of fixes - although non-Pixel users are
going to have to wait until OEMs catch up.
SAP was happy to fill the gap in admins' lives, however, with 27 new security
updates, and four updated ones. The most serious, scoring a perfect 10 on the
CVSS ranking, is a grab-bag of issues with SAP Supplier Relationship Management
(Live Auction Cockpit), and there's a CVSS 9.9 issue with Code Injection
vulnerability in SAP S/4HANA and SAP SCM that needs a patch. These are two of
the six critical fixes SAP issued. ?
------------------------------
Subject: Digest Footer
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
------------------------------
End of Link Digest, Vol 392, Issue 6
************************************
