Microsoft updates: Are security threats overstated again?

Security bulletins available on the Microsoft Security Response Center website describe the monthly update packages and have a tendency to overestimate the severity of threats. Many local vulnerabilities were incorrectly labelled as remote, suggesting that the exploit must come from the network. In this perspective, every vulnerability is remote because it wasn't programmed directly on the updated computer.

The January bulletins present dozens of vulnerabilities, many of which have CVSS scores of 9.8 and 8.8. This suggests attacks requiring no interaction. But is it really so? The top vulnerability, CVE-2025-21307, pertains to the PGM protocol, which is disabled by default. Another, CVE-2025-21311, is related to the NTLMv1 mechanism, which is not used by default and affects domain environments.

NTLM, in general, is surprisingly problematic. Its presence highlights issues in the theme engine (Themes, CVE-2025-21308). The third "most expensive" flaw, CVE-2025-21298, involves OLE and is marked as remote and requiring no user interaction.

The misuse appears again here. The attack is indeed remote, as it involves an email (for example). However, the claim of no interaction is incorrect. Details clearly state that the user must open a malicious email in a vulnerable version of Outlook themselves. This is definitely interaction. Incidentally, loading "enriched" emails in classic Outlook is now essentially the only method of network interaction with OLE. Given its history, Microsoft aims to phase out the old Outlook, but they haven't succeeded yet.

"Rare" and "disabled by default" are not reasons to lower the CVSS score. It only means there is usually no urgent need to patch the theoretically most critical holes—but it's always wise to install updates at the first opportunity, contrary to radical opinions. No new issues have been reported so far. What about the dozens of other vulnerabilities?

The telephony services (a lineup of over thirty CVEs, listing them would resemble, nomen omen, a phone book), Windows Search, locally (CVE-2025-21292), Remote Desktop (CVE-2025-21309 and CVE-2025-21297, requiring a connection to a malicious server), SPNEGO (CVE-2025-21295, GSSAPI - surprise), malicious multimedia streams (CVE-2025-21291) and Active Directory (CVE-2025-21293).

Many serious issues patched by the January updates are vulnerabilities in the Telephony service, which is not commonly used by default. The vulnerabilities marked as less serious are much more intriguing, such as the ability to escape from Hyper-V (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335). Hyper-V, naturally, is also not enabled by default...

However, dozens of other mechanisms are enabled, facilitating the work of criminals exploiting much less severe vulnerabilities. That's why installing updates is critical. For those convinced that Windows "right out of the box" works perfectly, and that an updated Windows somehow stops functioning, it's important to note that every version of Windows in its initial release had very serious shortcomings. The latest update for Windows 11 is approximately 1,079 megabytes, while the update for Windows 10 is about 737 megabytes, with an additional 61 megabytes for prerequisites.