Blog

Microsoft's Mega-Patch Tuesday: Half of Systems Left Vulnerable!

Microsoft's Mega-Patch Tuesday: Half of Systems Left Vulnerable!

System Updates
February 07, 20253 min read

In what is being hailed as the largest patch release since at least 2017, Microsoft’s January 2025 Patch Tuesday tackled a staggering 159 vulnerabilities—double the size of a typical January release. But while this patch rollout addresses a host of critical security issues, the reality is that many systems will remain vulnerable as they won’t have access to over half of the patches. This raises concerns for organizations that may not have the proper subscriptions or access to the latest updates.

What is Patch Tuesday?

For those unfamiliar, Patch Tuesday is a regular security update cadence by Microsoft, typically occurring on the second Tuesday of every month at 10 AM PST. On this day, Microsoft releases most of its security patches for Windows and other software. However, some updates are released on an as-needed basis, known as Out-of-Band (OOB) releases, for higher-priority vulnerabilities that cannot wait until the next scheduled patch.

The Problem: Half of the Patches Are Out of Reach

This January’s Patch Tuesday update is a massive one, with Microsoft addressing 159 vulnerabilities across its ecosystem. Of these patches:

  • 132 apply to Windows.

  • 95 patches target end-of-life software, available only through a paid program.

  • 19 patches affect Microsoft Office.

But here’s the catch: over half of these patches are accessible only to organizations that subscribe to Microsoft’s Extended Security Update (ESU) program. This program offers security updates for an additional three years after the end of a software’s supported life. Windows 10, for instance, will enter this paid support program starting in October of this year. Without this paid program, businesses will be unable to patch several critical vulnerabilities, leaving their systems at risk.

The Critical Vulnerabilities: Remote Code Execution (RCE) and Elevation of Privilege

Of the vulnerabilities patched, three garnered a 9.8 CVE score, the highest possible severity rating. These critical vulnerabilities should be a top priority for any business to address. What's worse, 36% of the patches in this release dealt with Remote Code Execution (RCE) vulnerabilities, while 25% addressed Elevation of Privilege flaws. Together, these two categories made up more than 60% of the patches released.

RCE vulnerabilities are among the most dangerous, allowing attackers to take control of your systems remotely through the internet. Elevation of Privilege vulnerabilities, on the other hand, give attackers elevated access once they’ve already compromised a system, allowing them to wreak even more havoc.

Takeaways and Next Steps

With these vulnerabilities posing significant threats, here are three essential takeaways and next steps for organizations to secure their systems:

  1. Don’t Put Windows on the Internet
    Windows servers and services, such as Terminal Server offering Remote Desktop connections, are inherently insecure if exposed directly to the internet. They should always be secured behind a firewall or proxy service and only accessible after proper authentication, such as via a VPN. It’s essential to limit direct exposure to the internet. About 10% of CyberStreams clients come to us after being hacked because their services were exposed this way.

  2. End-of-Life Software
    Using unsupported, end-of-life Microsoft software makes your systems vulnerable unless you’re in the ESU program, which provides paid updates for up to 3 years. Eligible software includes Windows 7, Windows Server 2008/R2, 2012/R2, and others. If you're using older versions, upgrade immediately to avoid unnecessary risks.

  3. Patch Management
    Ensure that all your systems are receiving and successfully applying the latest patches. Many patches fail or cause issues during application. It’s crucial to establish a patch management strategy that guarantees all systems are regularly updated and protected against known vulnerabilities.

Conclusion: Stay Ahead of the Threats

Microsoft’s January 2025 Mega-Patch Tuesday emphasizes the importance of timely patching, using supported software, and securing systems from remote exploitation. As these vulnerabilities evolve, businesses that fail to stay up-to-date with patches or use outdated systems may face significant security risks. Don’t let your organization be left vulnerable—take proactive steps now to ensure you're protected against the latest threats.

A reliable and engaged partner in the IT support and services sector is crucial for achieving consistent growth through effective technological strategies. Mat Kordell, Chief Operating Officer of CyberStreams, is dedicated to assisting clients in optimizing their technology for a competitive edge. At CyberStreams, Mat leads a team focused on delivering outstanding IT security and services. Drawing on his wealth of experience and practical knowledge, Mat ensures that clients receive comprehensive support and direction for their IT security projects. With CyberStreams as your partner, you'll have the resources to enhance your business systems and thrive in today's competitive business environment.

Mat Kordell | Chief Operating Officer | CyberStreams

A reliable and engaged partner in the IT support and services sector is crucial for achieving consistent growth through effective technological strategies. Mat Kordell, Chief Operating Officer of CyberStreams, is dedicated to assisting clients in optimizing their technology for a competitive edge. At CyberStreams, Mat leads a team focused on delivering outstanding IT security and services. Drawing on his wealth of experience and practical knowledge, Mat ensures that clients receive comprehensive support and direction for their IT security projects. With CyberStreams as your partner, you'll have the resources to enhance your business systems and thrive in today's competitive business environment.

Back to Blog

Ready For A No-Nonsense Approach To IT?

  1. Hire us to set your IT strategy up for sustainable success.

  2. Learn about our proven No-Nonsense approach.

  3. Get an IT roadmap designed specifically for you.

  4. Fearlessly grow your business.

Schedule an Appointment Today

It’s our job to help your business save money, work faster and focus on what is most important. Schedule a 30-minute call to see if we are a good fit to help your organization.

Enter your name and email to get started today.

Featured Posts

Microsoft's Mega-Patch Tuesday: Half of Systems Left Vulnerable!

Microsoft's Mega-Patch Tuesday: Half of Systems Left Vulnerable!

System Updates
February 07, 20253 min read

In what is being hailed as the largest patch release since at least 2017, Microsoft’s January 2025 Patch Tuesday tackled a staggering 159 vulnerabilities—double the size of a typical January release. But while this patch rollout addresses a host of critical security issues, the reality is that many systems will remain vulnerable as they won’t have access to over half of the patches. This raises concerns for organizations that may not have the proper subscriptions or access to the latest updates.

What is Patch Tuesday?

For those unfamiliar, Patch Tuesday is a regular security update cadence by Microsoft, typically occurring on the second Tuesday of every month at 10 AM PST. On this day, Microsoft releases most of its security patches for Windows and other software. However, some updates are released on an as-needed basis, known as Out-of-Band (OOB) releases, for higher-priority vulnerabilities that cannot wait until the next scheduled patch.

The Problem: Half of the Patches Are Out of Reach

This January’s Patch Tuesday update is a massive one, with Microsoft addressing 159 vulnerabilities across its ecosystem. Of these patches:

  • 132 apply to Windows.

  • 95 patches target end-of-life software, available only through a paid program.

  • 19 patches affect Microsoft Office.

But here’s the catch: over half of these patches are accessible only to organizations that subscribe to Microsoft’s Extended Security Update (ESU) program. This program offers security updates for an additional three years after the end of a software’s supported life. Windows 10, for instance, will enter this paid support program starting in October of this year. Without this paid program, businesses will be unable to patch several critical vulnerabilities, leaving their systems at risk.

The Critical Vulnerabilities: Remote Code Execution (RCE) and Elevation of Privilege

Of the vulnerabilities patched, three garnered a 9.8 CVE score, the highest possible severity rating. These critical vulnerabilities should be a top priority for any business to address. What's worse, 36% of the patches in this release dealt with Remote Code Execution (RCE) vulnerabilities, while 25% addressed Elevation of Privilege flaws. Together, these two categories made up more than 60% of the patches released.

RCE vulnerabilities are among the most dangerous, allowing attackers to take control of your systems remotely through the internet. Elevation of Privilege vulnerabilities, on the other hand, give attackers elevated access once they’ve already compromised a system, allowing them to wreak even more havoc.

Takeaways and Next Steps

With these vulnerabilities posing significant threats, here are three essential takeaways and next steps for organizations to secure their systems:

  1. Don’t Put Windows on the Internet
    Windows servers and services, such as Terminal Server offering Remote Desktop connections, are inherently insecure if exposed directly to the internet. They should always be secured behind a firewall or proxy service and only accessible after proper authentication, such as via a VPN. It’s essential to limit direct exposure to the internet. About 10% of CyberStreams clients come to us after being hacked because their services were exposed this way.

  2. End-of-Life Software
    Using unsupported, end-of-life Microsoft software makes your systems vulnerable unless you’re in the ESU program, which provides paid updates for up to 3 years. Eligible software includes Windows 7, Windows Server 2008/R2, 2012/R2, and others. If you're using older versions, upgrade immediately to avoid unnecessary risks.

  3. Patch Management
    Ensure that all your systems are receiving and successfully applying the latest patches. Many patches fail or cause issues during application. It’s crucial to establish a patch management strategy that guarantees all systems are regularly updated and protected against known vulnerabilities.

Conclusion: Stay Ahead of the Threats

Microsoft’s January 2025 Mega-Patch Tuesday emphasizes the importance of timely patching, using supported software, and securing systems from remote exploitation. As these vulnerabilities evolve, businesses that fail to stay up-to-date with patches or use outdated systems may face significant security risks. Don’t let your organization be left vulnerable—take proactive steps now to ensure you're protected against the latest threats.

A reliable and engaged partner in the IT support and services sector is crucial for achieving consistent growth through effective technological strategies. Mat Kordell, Chief Operating Officer of CyberStreams, is dedicated to assisting clients in optimizing their technology for a competitive edge. At CyberStreams, Mat leads a team focused on delivering outstanding IT security and services. Drawing on his wealth of experience and practical knowledge, Mat ensures that clients receive comprehensive support and direction for their IT security projects. With CyberStreams as your partner, you'll have the resources to enhance your business systems and thrive in today's competitive business environment.

Mat Kordell | Chief Operating Officer | CyberStreams

A reliable and engaged partner in the IT support and services sector is crucial for achieving consistent growth through effective technological strategies. Mat Kordell, Chief Operating Officer of CyberStreams, is dedicated to assisting clients in optimizing their technology for a competitive edge. At CyberStreams, Mat leads a team focused on delivering outstanding IT security and services. Drawing on his wealth of experience and practical knowledge, Mat ensures that clients receive comprehensive support and direction for their IT security projects. With CyberStreams as your partner, you'll have the resources to enhance your business systems and thrive in today's competitive business environment.

Back to Blog

Enroll in Our Email Course

Learn How a No-Nonsense IT Strategy Benefits Your ComBullet listpany:

  • Strategies to allocate your IT budget efficiently

  • Enhance cybersecurity defenses on a bButtonudget

  • Ensure your technology investments continue to serve your business as it grows