“`html
Microsoft Patches Critical Vulnerabilities, Including Actively Exploited Zero-Day Bug
A wave of security updates released this week by Microsoft addresses over 60 vulnerabilities across its Windows operating systems and related software, including a zero-day flaw already being exploited by attackers. The updates also resolve an issue preventing some Windows 10 users from receiving extended security updates.
Microsoft’s latest “Patch Tuesday” release tackles a broad range of products, encompassing the Windows OS, Office suite, SharePoint, SQL server, Visual Studio, GitHub Copilot, and Azure Monitor Agent. While the most pressing concern is the actively exploited zero-day vulnerability, several other critical weaknesses demand immediate attention.
The zero-day, identified as CVE-2025-62215, is a memory corruption bug residing within the core of the Windows operating system. Despite its severity as a zero-day – meaning no public defense was available prior to the patch – Microsoft has categorized it as “critically important” rather than “critical.” This assessment is based on the fact that successful exploitation requires an attacker to already possess some level of access to the targeted device. However, security experts caution against complacency.
“These types of vulnerabilities are often exploited as part of a more complex attack chain,” noted a researcher at the SANS Technology Institute. “Though, exploiting this specific vulnerability is highly likely to be relatively straightforward, given the existence of prior similar vulnerabilities.”
A notably alarming vulnerability highlighted by cybersecurity professionals is CVE-2025-60274,a 9.8-rated flaw within the Windows Graphic Component (GDI+). GDI+ is a foundational element used by a vast array of applications, including Microsoft Office, web servers handling images, and numerous third-party programs.
“The patch for this should be an association’s highest priority,” stated a lead cybersecurity engineer at immersive. “while Microsoft assesses this as ‘Exploitation Less Likely,’ a flaw of this magnitude in a ubiquitous library like GDI+ represents a critical risk.”
Further compounding the urgency,Microsoft has also patched a critical bug in Office (CVE-2025-62199) that could allow for remote code execution on a Windows system. According to the CEO of Action1, this Office vulnerability is particularly dangerous due to its low complexity, lack of privilege requirements, and potential for exploitation simply by viewing a malicious message in the Preview Pane.
The updates are especially crucial for users still operating Windows 10, an operating system that officially ended its standard support period last month. Microsoft has extended a lifeline to Windows 10 users by offering a year of free security updates, contingent upon registering their PCs with an active Microsoft account.However, reports indicate that the registration process has been problematic for some, prompting Microsoft to release an out-of-band update – KB5071959 – to address enrollment issues. Users attempting to enroll in the Extended Security Update program should install this update before attempting to install the latest updates, including KB5068781.
Beyond Microsoft’s own products, updates have also been released by third-party vendors like Adobe and Mozilla.An update for Google Chrome is anticipated soon, necessitating a corresponding update for Microsoft Edge.
For a detailed breakdown of each Microsoft fix, indexed by severity and CVSS score, the SANS Internet Storm Center provides a resource. Organizations involved in patch testing are advised to monitor for reports on any potential issues arising from the updates.
As a standard practice, regular data backups – of entire systems if possible – remain paramount. Users are encouraged to share any issues encountered during the installation process in the comments.
[Author’s note: This post was intended to appear on the homepage on Tuesday, Nov. 11. I’m still not sure how it happened, but somehow this story failed to publish that day. My apologies for the oversight.]
