Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Microsoft Pushes Security Updates to Fix Over 60 Vulnerabilities



Microsoft has released its November 2025 Patch Tuesday update, addressing over 60 vulnerabilities across its Windows operating systems and supported software. Among these vulnerabilities is at least one zero-day bug that has already been exploited by attackers. The update includes patches for CVE-2025-62215, a memory corruption bug and CVE-2025-60274, a critical weakness in GDI+, as well as a critical bug in Microsoft Office (CVE-2025-62199) that can lead to remote code execution on a Windows system.

  • Microsoft released its November 2025 Patch Tuesday update, addressing over 60 vulnerabilities.
  • A zero-day bug, CVE-2025-62215, has been exploited by attackers in the update.
  • CVE-2025-60274 is a critical weakness in GDI+, affecting many applications and requiring high priority patching.
  • CVE-2025-62199 can lead to remote code execution on Windows systems, considered high-priority due to its low complexity and ease of exploitation.



    • Microsoft's regular "Patch Tuesday" update cycle has been a staple of the tech industry for years, providing critical security fixes and updates to protect users from various threats. This week, Microsoft released its November 2025 Patch Tuesday update, which addresses over 60 vulnerabilities in its Windows operating systems and supported software. Among these vulnerabilities is at least one zero-day bug that has already been exploited by attackers.

    The update includes patches for CVE-2025-62215, a memory corruption bug deep within the Windows innards that Microsoft has assigned an "important" rating rather than critical. This may seem like a less severe rating, but Johannes Ullrich, dean of research at the SANS Technology Institute, notes that vulnerabilities like this are often exploited as part of more complex attack chains. In the case of CVE-2025-62215, exploiting it is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.

    On the other hand, CVE-2025-60274 is a critical weakness in a core Windows graphic component (GDI+) that affects a massive number of applications, including Microsoft Office, web servers processing images, and countless third-party applications. Ben McCarthy, lead cybersecurity engineer at Immersive, calls attention to this vulnerability, stating that the patch for it should be an organization's highest priority.

    In addition to these more serious vulnerabilities, Microsoft has also addressed a critical bug in its Office software (CVE-2025-62199) that can lead to remote code execution on a Windows system. This is considered high-priority by Alex Vovk, CEO and co-founder of Action1, because it is low complexity and requires no privileges to exploit. Furthermore, this vulnerability can be exploited simply by viewing a booby-trapped message in the Preview Pane.

    It's worth noting that many of these vulnerabilities affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month. In response to this, Microsoft has been offering Windows 10 users an extra year of free updates, provided they register their PC to an active Microsoft account. However, some readers have reported that the option for this extension was never offered.

    To address issues related to the enrollment process, Microsoft has recently released an out-of-band update (KB5071959) to resolve problems when trying to enroll in the Windows 10 Consumer Extended Security Update program. Chris Goettl at Ivanti notes that users should install this update before attempting to install other updates, such as KB5068781.

    In addition to Microsoft's updates, third-party vendors like Adobe and Mozilla have also released patches for their software. Furthermore, an update for Google Chrome is expected soon, which means Edge will also need its own update.

    As with any major security update, it's essential for users to back up their data at regular intervals to prevent potential issues when installing new updates. The SANS Internet Storm Center offers a clickable breakdown of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should also keep an eye on askwoody.com for any information about problematic updates.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Microsoft-Pushes-Security-Updates-to-Fix-Over-60-Vulnerabilities-ehn.shtml

  • https://krebsonsecurity.com/2025/11/microsoft-patch-tuesday-november-2025-edition/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-62215

  • https://www.cvedetails.com/cve/CVE-2025-62215/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-60274

  • https://www.cvedetails.com/cve/CVE-2025-60274/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-62199

  • https://www.cvedetails.com/cve/CVE-2025-62199/


    • Published: Sun Nov 16 16:02:08 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us