All news with #windows tag

01flip: Rust-Based Multi-Platform Ransomware Targeting APAC

🔐 Unit 42 identified 01flip, a new Rust‑based ransomware family observed in June 2025 that targets both Windows and Linux via Rust cross‑compilation. The malware enumerates writable directories, drops RECOVER-YOUR-FILE.TXT ransom notes, renames files with a .01flip extension, and encrypts victims with AES‑128‑CBC while protecting session keys with an embedded RSA‑2048 public key. Observed victims are a limited set in the Asia‑Pacific region, and an alleged data dump appeared on a dark‑web forum after at least one infection.

Microsoft December 2025 Patch Tuesday: 57 Fixes, 3 Zero-Days

🔒 Microsoft's December 2025 Patch Tuesday delivers fixes for 57 vulnerabilities, including three zero-day flaws — one actively exploited and two publicly disclosed. The update addresses 19 remote code execution, 28 elevation of privilege, four information disclosure, three denial of service, and two spoofing issues across Windows, PowerShell, Office, Exchange Server and drivers. Administrators should prioritize the actively exploited CVE-2025-62221 and apply vendor patches promptly.

Microsoft Quietly Patches Long-Exploited Windows LNK Bug

🔒 Microsoft has quietly fixed CVE-2025-9491, a Windows Shortcut (.LNK) UI misinterpretation flaw that enabled remote code execution and has been abused since 2017 by multiple state-affiliated and criminal groups. The change, deployed in November 2025, forces the Properties dialog to display the full Target command string regardless of length, removing the truncation that hid malicious arguments. Vendors including 0patch and ACROS Security noted alternative mitigations — a UI change by Microsoft and a warning-based micropatch — that together reduce user exposure.

Microsoft adds Teams call handler to speed Windows client

⚡Microsoft will introduce a new Teams call handler, ms-teams_modulehost.exe, that runs as a child process to manage the calling stack separately from the main ms-teams.exe application, improving startup times and in-meeting performance. The change is transparent to end users and requires no retraining. Administrators should allowlist the new process in security and endpoint protection systems and notify helpdesk staff to avoid false positives during the rollout.

Active Exploitation of 7-Zip Symbolic Link Flaw Now

⚠️A high-severity vulnerability (CVE-2025-11001, CVSS 7.0) in 7-Zip that mishandles symbolic links in ZIP archives is being actively exploited in the wild, NHS England Digital warns. The flaw can trigger directory traversal and enable remote code execution and was addressed in 7-Zip 25.00 released in July 2025. A related issue, CVE-2025-11002, was also fixed in that release. Proof-of-concept exploits are public, and exploitation requires an elevated Windows user or service account or developer mode enabled, so users should apply the update immediately.

Windows bug prevents Microsoft 365 desktop app installs

⚠️ Microsoft is addressing a known issue that prevents users from installing Microsoft 365 desktop apps on Windows devices. The problem stems from misconfigured authentication components affecting versions 2508 (Build 19127.20358) and 2507 (Build 19029.20294). The team is reconfiguring the components and expects a full remediation later today. Microsoft tagged the outage as incident OP1186186 and is also investigating a related admin access issue tracked as MO1176905.

Microsoft Patch Tuesday — November 2025: 60+ Vulnerabilities

🔒 Microsoft released updates addressing more than 60 vulnerabilities across Windows and related products, including a zero-day memory-corruption bug (CVE-2025-62215) that is already being exploited. Microsoft rates this issue important because exploitation requires prior access to the target device. Other high-priority fixes include a 9.8-rated GDI+ vulnerability (CVE-2025-60274) and an Office remote-code-execution flaw (CVE-2025-62199). Windows 10 users should install the enrollment fix KB5071959 before applying subsequent updates.

Microsoft November 2025 Patch Tuesday: 63 Flaws, 1 Zero-Day

🛡️ Microsoft’s November 2025 Patch Tuesday addresses 63 vulnerabilities, including one actively exploited zero-day in the Windows Kernel (CVE-2025-62215). The update bundle includes four Critical issues and a broad set of fixes across kernel, RDP, Hyper-V, drivers, Office components and other Windows subsystems. Organizations still on unsupported Windows 10 should upgrade to Windows 11 or enroll in Microsoft’s ESU program; Microsoft also released an out-of-band patch to fix an ESU enrollment bug.

Authentication Coercion: Abusing Rare Windows RPC Interfaces

🔒 Unit 42 details how attackers force Windows hosts to authenticate to attacker-controlled systems by abusing rarely monitored RPC interfaces. The report explains techniques, including misuse of UNC path parameters and obscure opnums, and reviews a March 2025 healthcare incident that leveraged MS-EVEN ElfrOpenBELW. It outlines indicators such as bursts of failed NTLM authentications and RPC calls containing external UNC targets. Recommendations include detection, RPC filtering, SMB signing, and Cortex XDR protections.

Microsoft Secure Future Initiative — November 2025 Report

🔐 Microsoft’s November 2025 progress report on the Secure Future Initiative outlines governance expansion, engineering milestones, and product hardening across Azure, Microsoft 365, Windows, Surface, and Microsoft Security. The update highlights measurable gains — a nine-point rise in security sentiment, 95% employee completion of AI-attack training, 99.6% phishing-resistant MFA enforcement, and 99.5% live-secrets detection and remediation. It also introduces AI-first security capabilities, new detections, and 10 actionable SFI patterns to help customers improve posture.

October Windows Updates Can Trigger BitLocker Recovery

🔒 Microsoft warned that installing Windows security updates released on or after October 14, 2025 can cause some systems to boot into BitLocker recovery, prompting users to enter their recovery key on first restart. The issue mainly affects Intel devices that support Connected Standby (Modern Standby) and occurs during restart or startup on Windows 11 24H2/25H2 and Windows 10 22H2. Microsoft says devices should boot normally after the key is entered and offers a Group Policy mitigation via Known Issue Rollback (KIR), with affected customers advised to contact Microsoft Support for Business.

New Airstalk Malware Abuses AirWatch for Covert C2

🛡️ We have discovered a new Windows-based malware family named Airstalk that abuses the AirWatch (Workspace ONE UEM) API to establish a covert command-and-control channel and exfiltrate browser artifacts. Two variants were observed: a PowerShell variant focused on Chrome cookie and bookmark theft, and a more advanced .NET variant that adds multi-threaded C2, beaconing, versioning, and support for Microsoft Edge and Island Browser. Several .NET samples were signed with a likely stolen certificate that was revoked shortly after issuance. Unit 42 assesses with medium confidence that a suspected nation-state actor used Airstalk in a likely supply chain compromise and provides IoCs and mitigation guidance.

Microsoft Disables Explorer Preview for Internet Files

🔒 Microsoft has updated File Explorer to disable the preview pane by default for files downloaded from the Internet or marked with the Mark of the Web. The change, included in Windows security updates released on and after October 14, 2025, is designed to block exploits that can leak NTLM hashes when previewed documents reference external resources. When preview is blocked, File Explorer shows a warning and users can manually unblock trusted files via Properties > Unblock or add the location to Trusted sites/Local intranet; a sign-out may be required for the change to take effect.

Microsoft fixes bug blocking classic Outlook startup

🛠️ Microsoft has implemented a fix for a major issue that prevented some Microsoft 365 customers from launching the classic Outlook client on Windows. Affected users reported errors indicating the app could not be started, the Outlook window would not open, or Exchange sign-in failed. Microsoft marked the incident as fixed and said the Outlook team is monitoring the rollout, while recommending Outlook Web Access or the new Outlook for Windows as temporary workarounds.

Microsoft October 2025 Patch Causes Enterprise Failures

🚨 The October 2025 Windows security update KB5066835, intended to move cryptography from CSP to KSP, is causing widespread enterprise disruption. Affected platforms — including Windows 10 (22H2), Windows 11 (23H2–25H2) and several Windows Server releases — report smartcard and certificate failures, USB mouse/keyboard loss in WinRE, IIS ERR_CONNECTION_RESET and WUSA installation errors. Microsoft published a registry workaround (DisableCapiOverrideForRSA=0) and an out‑of‑band update (KB5070773) for some issues, but urges caution and recommends thorough testing before broad deployment.

Microsoft October Windows Updates Break Smart Card Auth

🔒 Microsoft warns the October 2025 Windows security updates are causing smart card authentication and certificate failures by switching RSA-based smart card certificates to use KSP instead of CSP. Affected systems may report errors such as "invalid provider type specified" or "CryptAcquireCertificatePrivateKey error" and Event ID 624 in the Smart Card Service log. Microsoft provides a manual workaround: set the DisableCapiOverrideForRSA registry value to 0, back up the registry first, then restart. This impacts Windows 10, Windows 11 and Windows Server releases; the company says the key will be removed in April 2026 and urges customers to work with application vendors to resolve compatibility.

Microsoft Removes Additional Safeguard Holds for Windows 11

✅ Microsoft removed two safeguard holds blocking Windows 11 24H2 installs. The April hold affecting systems using SenseShield's sprotect.sys driver—which could trigger BSODs—was lifted after a security.sys driver update; the feature update will be offered within 48 hours. The September 2024 hold for wallpaper customization apps that caused display and virtual-desktop issues was removed on October 15, 2025; affected devices may see a warning and must confirm before upgrading. Microsoft advises updating or uninstalling problematic apps or contacting their developers for support.

Microsoft fixes Windows localhost HTTP/2 connection bug

🔧 Microsoft has fixed a known issue that broke HTTP/2 connections to localhost (127.0.0.1) and caused IIS sites to fail after recent Windows security updates. Affected systems included Windows 11 and Windows Server 2025, producing errors like “ERR_CONNECTION_RESET” and “ERR_HTTP2_PROTOCOL_ERROR”. Microsoft recommends checking Windows Update and restarting; it also enabled a Known Issue Rollback (KIR) for most home and non-managed devices, while enterprise admins can deploy a KIR group policy until a permanent update ships.

WhatsApp-Based Self-Spreading Malware Hits Brazil Nationwide

⚠️ Trend Micro has uncovered a self-propagating malware campaign named SORVEPOTEL that primarily targets Brazilian Windows users via WhatsApp. The attack is delivered through convincing phishing messages with malicious ZIP attachments that contain LNK shortcuts which trigger PowerShell to download a batch payload. The payload establishes persistence by copying itself to the Windows Startup folder and contacts a command-and-control server, and if WhatsApp Web is active the malware automatically forwards the infected ZIP to contacts and groups, causing rapid spread and frequent account bans. Researchers report no evidence of data exfiltration or file encryption so far.

Microsoft Partially Resolves DRM Video Playback Issue

🔧 Microsoft says it has partially resolved an issue that caused DRM-protected video playback failures on Windows 11 24H2 systems after the August preview update (KB5064081) or later. Affected applications using Enhanced Video Renderer with HDCP enforcement or DRM for digital audio experienced freezes, black screens, and copyright protection errors. The September preview update KB5065789 contains fixes, though Microsoft warns some audio DRM problems may continue for certain applications.