For October’s Patch Tuesday, a scary number of fixes

20/10 19:15 - For October’s Patch Tuesday, a scary number of fixes
Microsoft this week released 175 updates affecting Windows and Office and .NET, including server-based updates for Microsoft SQL Server and Exchange server. There are also four zero-day fixes (CVE-2025-24052, CVE-2025-24990, CVE-2025-2884 and CVE-2025-59230), leading to a “Patch Now” recommendation for Windows. (All other updates can be added to your standard patch release schedule.)  To help you navigate these changes, the Readiness team created this detailed infographic detailing the risks of deploying updates to each platform. (More information about recent Patch Tuesday releases is available here.) Known issues Microsoft documented a single, relatively minor issue with last month’s patches affecting Windows 11 desktops only: Applications that use Enhanced Video Renderer (ECR) with HDCP enforcement or Digital Rights Management (DRM) for digital audio might show copyright protection errors, frequent playback interruptions, unexpected stops, or black screens. Microsoft partially resolved this problem with its October update. We don’t expect an out-of-bounds fix for this playback issue; a full fix may have to wait until next month. Major revisions and mitigations Microsoft published several revisions to its Azure Entra ID and authentication offering and other Azure tools. However, there appears to be only one revision to a desktop (or server) patch since September:n CVE-2025-50173: Windows Installer Elevation of Privilege Vulnerability. Microsoft has updated the recommendations for this patch to include using the Multimedia Redirection Installer as well as updating all affected target systems. This revision requires customer action and should be considered for most enterprise deployments. Windows lifecycle and enforcement updates  So this is awkward. General support for Windows 10 ended Oct. 14, with Microsoft advising: “At this point technical assistance, feature updates and security updates are no longer provided. If you have devices running Windows 10, we recommend upgrading them to Windows 11” It is probably now the time to give Windows 11 a try. Soon(ish). Each month, the Readiness crew analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on a large app portfolio and an in-depth analysis of the patches and their potential impact on Windows platforms and application deployments. These areas are covered: RDP connectivity and session reliability. Printing and document workflow resilience. Network throughput and proxy behavior validation. UI and GPU rendering stability within Hyper-V environments. Core OS and system validation Readiness recommends that testing teams begin by validating the foundational elements of the Windows platform. Ensuring smooth startup, account management, and policy operations helps catch regressions early and prevents cascading test failures downstream: Test basic boot, login, and Windows Defender Application Control (WDAC) policy enforcement. Validate administrative tasks such as user creation, group management, and policy refresh. Confirm stability during restart, shutdown, and update rollback scenarios. Run targeted tests of BitLocker recovery and drive encryption workflows. As part of this testing effort ,ensure that Windows desktop system-level policies, encryption, and authentication behave as expected before you layer on additional higher‑level functionality testing. Remote Desktop and network connectivity We recommend validating session reliability, reconnection performance, and the behavior of dependent services for hybrid and distributed environments: Perform end-to-end RDP sessions between clients and servers. Copy files between sessions, redirect local printers and USB devices and disconnect and reconnect sessions to verify state persistence. Confirm VPN connectivity using multiple tunneling and authentication methods. Open browsers, connect repeatedly to multiple sites, and transfer large files to validate stability over TCP/IP. Test SMB loopback connections using UNC paths and validate proxy configurations when switching between corporate and guest networks. Validate client-side printing from Remote Desktop Services sessions. Your testing should generate stable connectivity sessions under changing conditions, with stateful RDP and VPN sessions and predictable proxy behavior. Printing and document workflows Testing teams should prioritize both client and server‑side printing services, with an emphasis on high‑concurrency and recovery scenarios such as: Perform multiple (large) print jobs through the Print Workflow Service. Cancel jobs mid-process and observe recovery. Restart the service during active printing to ensure there are no deadlocks or orphaned tasks. Critical core printing functions were updated this month, so crashes and blue-screens could be “on the menu” with this update. (Let’s hope not.) Networking and bluetooth interoperability Network stacks and wireless connectivity remain central to mobility testing. Teams should prioritize interoperability, speed, and reconnection behaviors for both wired and wireless scenarios: Conduct file‑transfer tests over IPv6 and measure throughput under variable latency. Perform a Bluetooth file transfer. Exercise packet send/receive flows using browsers, messaging apps, and file uploads. Test Bluetooth pairing and switching between multiple devices. Observe media playback and disconnect/reconnect transitions for smoothness and stability. Verify Nearby Share for varied file sizes and formats. You should be looking for stable file transfers (including Nearby Share and Bluetooth), consistent device switching, and reliable wireless throughput across mixed environments. Storage and file system operations Prioritize validating data integrity and access control through stress testing of file systems and storage pools: Perform NTFS read/write tests including rename, delete, and copy. Execute permission changes using GetSecurityInfo and SetSecurityInfo. Test ReFS deduplication scheduling through PowerShell. Simulate storage expansion with Storage Spaces Direct (S2D). Look for consistent read/write access and reliable storage virtualization behavior during expansion and scheduled deduplication. Graphics and UI rendering We recommend validating visual consistency and GPU acceleration in both native and virtualized environments: Verify apps using DirectComposition and the DWM API render correctly under theme changes. Change themes and wallpapers while apps run to test live refresh. Confirm GPU-accelerated Hyper-V VM sessions remain stable with display remoting enabled. You want to ensure stable rendering and error‑free theme transitions across both physical and virtual environments. Security and identity validation Testing teams should verify identity handoffs, certificate management, and logging accuracy: Test token-based sign-ins through Microsoft Entra ID and legacy NTLM fallbacks. Verify certificate generation and key management via BCrypt and NCrypt. Confirm proper logging and access-denied events in Windows Event Viewer. Try testing out credential exchanges and cryptographic functions — and ensure that audit events operate consistently across updated builds. Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:  Browsers (Microsoft IE and Edge)  Windows (both desktop and server)  Microsoft Office Microsoft Exchange and SQL Server  Microsoft Developer Tools (Visual Studio and .NET) Adobe (if you get this far)  Browsers There were no native updates for Microsoft’s browsers this month. The Chromium project has released 14 patches that have been integrated in the latest Edge release. Add these low-profile changes to your standard release calendar. Windows The following product areas have been updated with two critical patches, 101 labeled important, (yes, that’s a lot) and one rated as moderate. Given the reports of public disclosure and exploitation, we’ve highlighted the following vulnerabilities: CVE-2025-24052 and CVE-2025-24990: To address this Elevation of Privilege vulnerability in Windows desktops, Microsoft is not offering an update, but instead a removal of the ltmdm64.sys driver. The Readiness team recommends an application portfolio assessment, scanning for file and API level dependencies for this driver. Looking for application packages that deal with Faxes would be a good start. CVE-2025-2884: This update addresses a vulnerability in the CryptHmacSign function. There have been issues reported on this (and similar) out-of-bounds vulnerability(s) since June. However, Microsoft now says this vulnerability has been publicly disclosed. CVE-2025-59230: Exploits for this vulnerability in Windows Remote Access Connection Manager (WRACM) have been published; unless addressed, it could lead to an elevation of privilege scenario on the target systems.  Given these four reported zero-days for Windows, add this to your “Patch Now” schedule for October. Microsoft Office Microsoft released three updates (rated as critical) affecting Office as a platform and specifically Microsoft Excel with CVE-2025-59234, CVE-2025-59236 and CVE-2025-59227. All three updates address use-after-free memory issues; the remaining 15 patches are rated as important and address information disclosure related vulnerabilities. Add these Office updates to your standard release calendar. Microsoft Exchange and SQL Server Microsoft published a single update for SQL Server this October. This patch (CVE-2025-59250) has been rated important and attempts to resolve an issue with the JDBC integration with Microsoft SQL Server. A server reboot will be required. In addition, Microsoft released three updates to Microsoft Exchange Server (CVE-2025-53782, CVE-2025-59249 and CVE-2025-59248). Add these SQL Server and Exchange Server changes to your standard server update plan. Developer tools Six updates were published for Microsoft .NET and Visual Studio, all of them rated important. The update to Git (CVE-2025-54132) might appear odd as it relates to a bug in the Mermaid Diagram tool, but it was created on behalf of Git for publishing reasons. Add these updates to your standard patching schedule. Adobe (and third-party updates) Next month, we might see the retirement of this Adobe related section (promises, promises). That said, Microsoft has released seven updates from third-party vendors, including CERT/CC, Mitre and GitHub. It looks like Mitre and AMD are raising these CVE entries on behalf of open source organizations (such as libTiFF) to facilitate the rapid patches of these commonly used components. It’s a good idea. I hope that we see more of this kind of collaboration. ...