Welcome to the third Patch Tuesday of the year; let’s find out what new surprises and challenges await. This month, there are 57 vulnerabilities, seven of which are zero-days. This time, six of the zero-days are being actively exploited.
After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.
What is Patch Tuesday?
Patch Tuesday falls on the second Tuesday of every month. This is when, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.
Why is Patch Tuesday important?
Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday, unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.
March 2025 Patch Tuesday
Security Updates Lineup
Here is a breakdown of the vulnerabilities fixed this month:
CVE IDs: 57
Republished CVE IDs: 10 (more details on this below)
Security updates were released for the following products, features, and roles:
-
Windows exFAT File System
-
Azure Agent Installer
-
Windows MapUrlToZone
-
Windows Remote Desktop Services
-
.NET
-
Windows Win32 Kernel Subsystem
-
Microsoft Streaming Service
-
Role: Windows Hyper-V
-
Azure CLI
-
Windows Routing and Remote Access Service (RRAS)
-
Windows NTLM
-
Windows USB Video Driver
-
Windows Telephony Server
-
Microsoft Office
-
Windows Common Log File System Driver
-
Windows Mark of the Web (MOTW)
-
Role: DNS Server
-
Windows Kernel-Mode Drivers
-
ASP.NET Core & Visual Studio
-
Windows File Explorer
-
Microsoft Local Security Authority Server (lsasrv)
-
Windows Cross Device Service
-
Microsoft Office Word
-
Microsoft Office Excel
-
Windows Subsystem for Linux
-
Windows NTFS
-
Windows Fast FAT Driver
-
Azure PromptFlow
-
Windows Kernel Memory
-
Visual Studio
-
Microsoft Windows
-
Azure Arc
-
Microsoft Office Access
-
Visual Studio Code
-
Microsoft Management Console
-
Microsoft Edge (Chromium-based)
-
Remote Desktop Client
Learn more in the MSRC’s release notes.
Details of the zero-day vulnerabilities
Vulnerable Component: Windows Win32 Kernel Subsystem
Impact: Elevation of Privilege
CVSS 3.1: 7.0
Microsoft has resolved a security vulnerability that enabled local attackers to gain SYSTEM privileges through the exploitation of a race condition. Currently, specific details on the exploitation method have not been disclosed by Microsoft. The vulnerability was identified by Filip Jurčacko from ESET, and further information is anticipated to be released in due course.
Vulnerable Component: Windows NTFS
Impact: Information Disclosure
CVSS 3.1: 4.6
This vulnerability can be exploited by attackers with physical access to the device by inserting a malicious USB drive. Exploiting this flaw enables attackers to read portions of heap memory and steal information. Microsoft notes that the vulnerability was disclosed anonymously.
Vulnerable Component: Windows Fast FAT File System Driver
Impact: Remote Code Execution
CVSS 3.1: 7.8
A remote code execution vulnerability is present due to an integer overflow in the Windows Fast FAT Driver. Exploitation of this flaw requires an attacker to deceive a local user into mounting a specially crafted VHD. While Microsoft has not shared specific exploitation methods, it notes that malicious VHD images have been used in past phishing attacks and through pirated software. This vulnerability was disclosed anonymously.
Vulnerable Component: Windows NTFS
Impact: Information Disclosure
CVSS 3.1: 5.5
Microsoft indicates that attackers can leverage this flaw to access small segments of heap memory and extract sensitive information. Exploitation involves deceiving a user into mounting a malicious VHD file. This vulnerability was disclosed anonymously.
Vulnerable Component: Windows NTFS
Impact: Remote Code Execution
CVSS 3.1: 7.8
A heap-based buffer overflow vulnerability in Windows NTFS permits an attacker to execute arbitrary code. This flaw can be exploited by persuading a local user to mount a specially crafted VHD. The vulnerability was disclosed anonymously.
Vulnerable Component: Microsoft Management Console
Impact: Security Feature Bypass
CVSS 3.1: 7.0
This vulnerability allows malicious .msc files to bypass Windows security features and execute arbitrary code. Exploiting this flaw requires attackers to convince users to open a malicious file, typically distributed through email or instant messaging. While users cannot be compelled to view content controlled by an attacker, social engineering tactics may be employed. This vulnerability was discovered by Aliakbar Zahravi from Trend Micro, though specific exploitation details have not been disclosed.
Vulnerable Component: Microsoft Access
Impact: Remote Code Execution
CVSS 3.1: 7.8
A use-after-free memory bug in Microsoft Office Access enables remote code execution. To exploit this flaw, an attacker would need to trick a user into opening a specially crafted Access file. This can be achieved through phishing or social engineering attacks, but the flaw cannot be exploited through the preview pane. Microsoft has not shared the details on who disclosed this flaw.
Republished CVE IDs
Besides the vulnerabilities fixed in this month’s Patch Tuesday, Microsoft has also republished ten CVE IDs. These are as follows:
Some third-party vendors such as Broadcom, Cisco, Google, and Ivanti have also released updates this month.
Best practices to handle patch management in a hybrid work environment
Most organizations have opted to embrace remote work even after returning to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.
Here are a few pointers to simplify the process of remote patching:
-
Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
-
Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
-
Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
-
Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
-
Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
-
Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.
-
Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
-
Run patch reports to get a detailed view of the health status of your endpoints.
For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.
With Endpoint Central, Patch Manager Plus, or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.
Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.
Ready, get set, patch!
