{"id":7288,"date":"2025-02-11T15:55:35","date_gmt":"2025-02-11T21:55:35","guid":{"rendered":"https:\/\/www.darkreading.com\/application-security\/microsofts-february-patch-lighter-lift-januarys"},"modified":"2025-02-11T15:55:35","modified_gmt":"2025-02-11T21:55:35","slug":"microsofts-february-patch-a-lighter-lift-than-januarys","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/02\/11\/microsofts-february-patch-a-lighter-lift-than-januarys\/","title":{"rendered":"Microsoft’s February Patch a Lighter Lift Than January’s"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Microsoft’s February security update contains substantially fewer vulnerabilities for admins to address compared to a month ago, but there’s still plenty in it that requires immediate attention.<\/span><\/p>\n

Topping the list are two zero-day vulnerabilities that attackers are actively exploiting in the wild, two more that are publicly known but not exploited yet, a patch for a zero-day that Microsoft disclosed in December 2024, and an assortment of other common vulnerabilities and exposures (CVEs) with potentially severe consequences for affected organizations.<\/span><\/p>\n

63 CVEs, 2 Zero-Days<\/h2>\n

In total, Microsoft released patches for <\/span>63 unique CVEs<\/a><\/span>, a far cry from the <\/span>massive 159 CVEs<\/a><\/span> \u2014 including a startling eight zero-days \u2014 that the company disclosed in January. Microsoft assessed four of the bugs it disclosed today as being of critical severity. It rated the vast majority of the remaining bugs as important to address but of lesser severity for a variety of factors, including attack complexity and privileges required to exploit the vulnerability.<\/span><\/p>\n

The two actively exploited zero-day bugs in this month’s update are <\/span>CVE-2025-21418<\/a><\/span> (CVSS score 7.8), an elevation of privilege vulnerability in Windows Ancillary Function Driver for WinSock, and <\/span>CVE-2025-21391<\/a><\/span> (CVSS 7.1), another elevation of privilege issue, this time affecting Windows Storage. Per its usual practice, Microsoft’s advisories for both bugs offered no details on the exploitation activity. But security researchers had their own take on why organizations need to address the issues ASAP.<\/span><\/p>\n

CVE-2025-21418, for instance, only enables a local exploit. That means an attacker or malicious insider must already have access to a target machine, via a phishing attack, malicious document, or other vector, said Kev Breen, senior director, cyber threat research, at Immersive Labs. Even so, such flaws are “valuable to attackers as they allow them to disable security tooling, dump credentials, or move laterally across the network to exploit the increased access,” Breen said in an emailed comment. An attacker who successfully exploits the flaw can gain SYSTEM level privileges on the affected system, he said, while recommending that organizations make the vulnerability a top priority to fix.<\/span><\/p>\n

With CVE-2025-21391, the Windows Storage zero-day, the concern is not about the flaw enabling unauthorized data access; rather, the concern is about how attackers could exploit it to affect data integrity and availability. “Microsoft has outlined that if the attacker successfully exploited this vulnerability, they would only be able to delete targeted files on a system,” said Natalie Silva, lead cyber security engineer at Immersive Labs, in an emailed comment. “Microsoft has released patches to mitigate this vulnerability. It’s recommended for administrators to apply these immediately.”<\/span><\/p>\n

In a blog, researchers at Action1 <\/span>described the flaw<\/a><\/span> as resulting from a weakness in how Windows Storage resolves file paths and follows links. Attackers can leverage the weakness to “redirect file operations to critical system files or user data, leading to unauthorized deletion,” the security vendor said.<\/span><\/p>\n

Breen recommended that organizations also treat <\/span>CVE-2025-21377,<\/a><\/span> an NTLM hash disclosure spoofing vulnerability, as a high priority bug that needs immediate attention. When Microsoft originally disclosed the bug in December 2024, it did not have a patch available for it, making the flaw a zero-day threat. “The vulnerability allows a threat actor to steal the NTLM credentials for a victim by sending them a malicious file,” Breen said. “The user doesn’t have to open or run the executable but simply viewing the file in Explorer could be enough to trigger the vulnerability.” Microsoft itself has assessed the vulnerability as something that threat actors are more likely to exploit<\/span><\/p>\n

The other previously disclosed vulnerability in the February patch update is <\/span>CVE-2025-21194<\/a><\/span>, a security feature bypass vulnerability in Microsoft Surface.<\/span><\/p>\n

Critical Flaws<\/h2>\n

The flaws that Microsoft rated as being of critical severity in this latest update are <\/span>CVE-2025-21379<\/a><\/span> (CVSS Score 7.1), an RCE in the DHCP client service; <\/span>CVE-2025-21177<\/a><\/span> (CVSS Score 8.7), a privilege elevation vulnerability in Microsoft Dynamics 365 Sales; <\/span>CVE-2025-21381<\/a><\/span> (CVSS 7.8), a Microsoft Excel RCE; and <\/span>CVE-2025-21376<\/a><\/span> (CVSS 8.1), an RCE in Windows LDAP and the only one in the set that Microsoft identified as more vulnerable to exploitation.<\/span><\/p>\n

Interestingly, one of the flaws that Microsoft rated as critical (CVE-2025-21177) required affected customers to do nothing, but it is an issue that Microsoft has already addressed on its end. This vulnerability makes use of the newer CAR (customer action required) attribute to identify that there is no customer actions required, says Tyler Reguly, associate director security R&D at Fortra. “While these information updates are nice, they can bloat the number of updates that admins may be worried about dealing with on a Patch Tuesday,” Reguly said in an emailed comment. “One can’t help but wonder if these updates should be issued outside of Patch Tuesday since they do not require customer action.”<\/span><\/p>\n

Meanwhile, the only CVE to earn a severity score of 9.0 in this month’s update \u2014 (<\/span>CVE-2025-21198<\/a><\/span>) \u2014 is an RCE affecting Microsoft High Performance Compute (HPC) Pack. An attacker cannot exploit the flaw unless they have access to the network used to connect to the high-performance cluster, Reguly said. “This networking requirement should limit the impact of what would otherwise be a more serious vulnerability.”<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft’s February security update contains substantially fewer vulnerabilities for admins<\/p>\n","protected":false},"author":12,"featured_media":7289,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-7288","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/microsofts-february-patch-a-lighter-lift-than-januarys.jpg?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/microsofts-february-patch-a-lighter-lift-than-januarys.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/microsofts-february-patch-a-lighter-lift-than-januarys.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/microsofts-february-patch-a-lighter-lift-than-januarys.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/microsofts-february-patch-a-lighter-lift-than-januarys.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/microsofts-february-patch-a-lighter-lift-than-januarys.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/microsofts-february-patch-a-lighter-lift-than-januarys.jpg?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/microsofts-february-patch-a-lighter-lift-than-januarys.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/microsofts-february-patch-a-lighter-lift-than-januarys.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/microsofts-february-patch-a-lighter-lift-than-januarys.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/microsofts-february-patch-a-lighter-lift-than-januarys.jpg?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7288"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7288\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/7289"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7288"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7288"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}