Microsoft's January updates: Serious flaws or exaggeration?

Security bulletins available on the Microsoft Security Response Center website, describing the monthly update packages, have a tendency to overestimate the severity of threats. Many local vulnerabilities were incorrectly labelled as remote, claiming the exploit must come from the network. In this way, every vulnerability is deemed remote because it was not programmed directly on the updated computer.

The January bulletins present dozens of vulnerabilities, many with CVSS scores of 9.8 and 8.8. This suggests an attack requiring no interaction, but is that the case? The top vulnerability, CVE-2025-21307, pertains to the PGM protocol, which is disabled by default. Another vulnerability, CVE-2025-21311, concerns domain environments. It is related to the NTLMv1 mechanism, which is not used by default.

NTLM is surprisingly problematic in general. Its presence highlights flaws in the theme engine (Themes, CVE-2025-21308). The third "most expensive" flaw, CVE-2025-21298, involves OLE and is marked as remote and requires no user interaction.

And here the misuse appears again. The attack is indeed remote, as it involves an email (so to speak). However, the claim of no interaction is incorrect. The details clearly state that the user must open the malicious email in a vulnerable version of Outlook themselves. This is definitely interaction. By the way, loading "enriched" emails in classic Outlook is now essentially the only method of network interaction with OLE. Due to historical reasons, Microsoft wants to terminate the old Outlook, but they still cannot manage it.

"Rare" and "disabled by default" are not reasons to lower the CVSS score. It only suggests there is usually no urgent need to patch the theoretically most important holes, but it's always wise to install updates at the earliest possible opportunity, contrary to radical opinions. No new issues have been reported so far. What about the dozens of other vulnerabilities?

The telephony services (a lineup of over thirty CVEs, listing them would resemble, nomen omen, a phone book), Windows Search, locally (CVE-2025-21292), Remote Desktop (CVE-2025-21309 and CVE-2025-21297, requiring a connection to a malicious server), SPNEGO (CVE-2025-21295, GSSAPI - surprise), malicious multimedia streams (CVE-2025-21291) and Active Directory (CVE-2025-21293).

It turns out that most of the serious issues patched by the January updates are holes in the Telephony service, which is not commonly used by default. The holes marked as less serious are much more intriguing - such as the ability to escape from Hyper-V (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335). Hyper-V, naturally, is also not enabled by default...

However, dozens of other mechanisms are enabled, facilitating the work of criminals exploiting much less severe holes. That's why installing updates is so crucial. For those convinced that Windows "right out of the box" works correctly, and that an updated Windows magically stops issues, it's important to note that every single release of Windows in its first version contained very serious shortcomings. The latest update for Windows 11 is about 1,100 megabytes, while for Windows 10 it is 750 megabytes and an additional 60 for prerequisites.