#microsoft

Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.

But there's plenty in it — including two zero-days — that need immediate attention.

Microsoft has released its monthly security update for January of 2025 which includes 58 vulnerabilities, including 3 that Microsoft marked as “critical” and one marked as "moderate". The remaining vulnerabilities listed are classified as “important.”

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploits this vulnerability could elevate their privileges to perform commands as Root in the target environment.

**Why is this HackerOne CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Node.js software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

**According to the CVSS metric, Integrity (I:L) is Low. What does that mean for this vulnerability?** An attacker's message can inherit the sender's email address from another message in the UI. The attacker cannot control which message it inherits from. This issue occurs exclusively for messages in the Junk folder, as it is the only folder where the app displays the sender's email address. The attacker cannot affect confidentiality or availability.

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires multiple conditions to be met, such as specific application behavior, user actions, manipulation of parameters passed to a function, and impersonation of an integrity level token.

**What type of information could be disclosed by this vulnerability?** An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.

**How could an attacker exploit this vulnerability?** To successfully exploit this remote code execution vulnerability, an attacker could send a malicious logon request to the target domain controller.

**How could an attacker exploit this vulnerability?** To successfully exploit this remote code execution vulnerability, an attacker could send a malicious logon request to the target domain controller.