Navigation
Search
|
For July, a ‘big, broad’ Patch Tuesday release
Friday July 11, 2025. 08:03 PM , from ComputerWorld
With 133 patches in its Patch Tuesday update this month, Microsoft delivered a big, broad and important release that requires a Patch Now plan for Windows, Microsoft Office and SQL Server. A zero-day (CVE-2025-49719) in SQL Server requires urgent action, as do Git extensions to Microsoft Visual Studio.
To help IT admins navigate these changes, the team from Readiness has provided this useful infographic detailing the risks of deploying the updates to each platform. (More information about recent Patch Tuesday releases is available here.) Known issues Microsoft is doing a pretty good job these days and there are a relatively small number of known issues reported for the desktop and server platforms, including this minor issue with Windows 10: Noto fonts are still experiencing display issues at smaller (less than 96 DPI) resolutions. For additional support, users can report issues related to Noto CJK fonts through the official Google Noto Fonts GitHub repository. Major revisions and mitigations So far, Microsoft has not published any revisions or updates to this month’s patches. Windows lifecycle and enforcement updates Likewise, there are no further enforcement updates from Microsoft this month. However, for some (strange) reason, every Microsoft support page that deals with Windows 10, displays this message; “After October 14, 2025, Microsoft will no longer provide free software updates from Windows Update, technical assistance, or security fixes for Windows 10. Your PC will still work, but we recommend moving to Windows 11.” The team at Readiness has analyzed Microsoft’s latest updates to develop technically sound, actionable testing plans. July’s release brings significant updates to core Windows components, most notably in the areas of printing, networking, and media playback. Two components have been designated as high-risk and warrant immediate attention: the Printing Subsystem and Routing and Remote Access (RRAS). As always, we have grouped Microsoft’s updates by Windows feature and accompanied each section with prescriptive test actions and rationale to help prioritize enterprise validation efforts. Core OS and printing Microsoft updated several core kernel drivers affecting Windows as a whole. This is a low-level system change and carries a high risk of compatibility and system issues. In addition, core Microsoft print libraries have been included in this month’s update, requiring additional print testing in addition to the following recommendations: Run print operations from 32-bit applications on 64-bit Windows environments. Use different print drivers and configurations (e.g., local, networked). Observe printing from older productivity apps and virtual environments, paying close attention to the boundaries/margins of the printing area. Remote Desktop and network connectivity This month’s updates could affect the reliability of remote access, and regressions in RRAS can disrupt critical network infrastructure. We recommend the following tests: Create and reconnect Remote Desktop (RDP) sessions under varying network conditions. Test modifying NAT and routing settings in RRAS configurations and ensure that changes persist across reboots. Create a VPN profile using the UI or PowerShell and try to connect/disconnect with different VPN servers. Test RemoteApp functionality by setting up and using web feed URLs. Test devices such as touchpads, keyboards, and touchscreens that use the I2C protocol. When validating routing information, ensure property pages report expected settings (checking the following protocols: DHC, NAT, RIP, IGMP, BOOTP). Filesystem and storage Updates to core Windows storage libraries impact nearly every command related to file and storage operations. A minor misalignment here can result in data access issues. These are high-priority components in modern data center and hybrid cloud infrastructure, with the following storage-related testing recommendations: Mount and dismount FastFat, NTFS, and UDFS volumes. Test directory query related scenarios, such as [NtQueryDirectoryFileEx] and [NtQueryDirectoryFile]. Configure a cluster shared volume and use it for a VM deployment. Media and codecs Microsoft issued extensive testing guidance for media codecs, indicating a focus on this area. We recommend the following: Perform extensive testing of DVD playback, including menu navigation, chapter selection, and playback of MPEG2-encoded files from local storage. Validate playback on both modern and low-end hardware, monitoring for performance issues or excessive CPU usage. Test advanced DVD features such as subtitle/audio track switching, region encoding, and CSS copy protection. Open and play TIFF files. Application deployment and SQL Server Updates to application deployment and management components require validation to ensure that application lifecycle operations are not affected. Additionally, the latest updates include patches for various versions of SQL Server with the following suggested testing: Perform installation, repair, and uninstallation of MSI Installer packages using standard enterprise deployment tools. Test any application deployment operation on the System drive (default) or additional volume (D: or E:). For SQL Server, install the appropriate GDR patch on top of the baseline/RTM version and perform a clean installation and removal of the patch. It’s important to prioritize printer testing this month, leading onto remote desktop and RRAS deployment testing, and ensuring that your core business applications install and uninstall as expected. Finally, validate the media and codec updates, as these have been highlighted by Microsoft as a key area of change. Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge) Microsoft Windows (both desktop and server) Microsoft Office Microsoft Exchange and SQL Server Microsoft developer tools (Visual Studio and.NET) Third-party updates (rather than Adobe) Browsers Microsoft delivered two important updates to its browser platforms. In addition, Google updated the Chrome engine, addressing the vulnerability CVE-2025-6554. These low-profile changes can be added to your standard release plan. Microsoft Windows Microsoft released six critical patches and 95 patches rated important for Windows; the critical vulnerabilities: CVE-2025-36357 — The vulnerability assigned to this CVE is in certain processor models offered by AMD. The mitigation requires a Windows update. CVE-2025-36350 — This vulnerability is also in certain processor models offered by AMD. The mitigation also requires a Windows update. CVE-2025-49735 — Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network. CVE-2025-47980 — Exposure of sensitive information to an unauthorized actor in Windows Imaging Component allows an attacker to disclose information locally. CVE-2025-47981 — Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an attacker to execute code over a network. CVE-2025-48822 — Out-of-bounds read in Windows Hyper-V allows an attacker to execute code locally. Due to the number and severity of critical issues, make this a “Patch Now” schedule for Windows. Microsoft Office Microsoft released seven critical updates (and 11 rated as important) for the Office platform. The critical-rated Office patches deal with the following vulnerabilities: CVE-2025-49695 — Use after free in Office allows an unauthorized attacker to execute code locally. CVE-2025-49696 — Out-of-bounds read in Office allows an attacker to execute code locally. CVE-2025-49697 — Heap-based buffer overflow in Office allows an attacker to execute code locally. CVE-2025-49698 — Use after free in Word allows an attacker to execute code locally. CVE-2025-49702 — Access of resource using incompatible type (“type confusion”) in Office allows an attacker to execute code locally. CVE-2025-49703 — Use after free in Word allows an attacker to execute code locally. CVE-2025-49704 — Improper control of generation of code (“code injection”) in SharePoint allows an attacker to execute code over a network. This represents a lot of critical updates for Microsoft Office and is unusual for their concentration in the general aspects of the platform rather than specific issues with World or Excel. We suggest adding Office to your Patch Now release calendar, too. Microsoft SQL Server Microsoft released one critical and two important updates for SQL Server, including: CVE-2025-49717 – Heap-based buffer overflow in SQL Server allows an attacker to execute code over a network. CVE-2025-49718: Information disclosure vulnerability could allow an attacker to disclose information over a network. CVE-2025-49719 has been reported as publicly disclosed. Given the presence of zero-day vulnerabilities, add the Microsoft SQL Server updates to your Patch Now schedule. Developer tools There were two updates (rated important) released this month affecting.NET and Visual Studio. Interestingly, there were several vulnerabilities to the Microsoft Visual Studio platform that were addressed by a third party (Mitre). These updates address security vulnerabilities in how Git integrates with Visual Studio: CVE-2025-27613 — Gitk Arguments Vulnerability CVE-2025-27614 — Gitk Arbitrary Code Execution Vulnerability CVE-2025-46334 — Git Malicious Shell Vulnerability CVE-2025-46835 — Git File Overwrite Vulnerability CVE-2025-48384 — Git Symlink Vulnerability CVE-2025-48385 — Git Protocol Injection Vulnerability CVE-2025-48386 — Git Credential Helper Buffer Overflow Vulnerability Add these updates to your standard developer release schedule. Third-party updates This is a big month for third-party updates, with Chrome (CVE-2025-655) and patches to Git extensions adding substantial weight to the July release. In addition, we have Mitre and AMD (CVE-2025-36350 and CVE-2025-36357) as the registered CNA for the Microsoft-targeted updates. I expect that we will see more of this, with an extended range of third-party vendors registering and addressing Microsoft security vulnerabilities.
https://www.computerworld.com/article/4021019/for-july-a-big-broad-patch-tuesday-release.html
Related News |
25 sources
Current Date
Jul, Sat 12 - 10:08 CEST
|