Latest Windows 11 and Office Updates Explained

Latest Windows 11 and Office Updates Explained

➡️ Watch full clip here: https://youtu.be/Lo3tjSpAzFw
➡️ Register for Patch Tuesday Webinar Series: https://www.ivanti.com/lp/webinar-series/patch-tuesday
➡️ Download slides here: https://www.ivanti.com/resources/patch-tuesday

Microsoft announces updates for Windows 11, showing a decrease in vulnerabilities compared to last month. While known exploited vulnerabilities are noted, specific details on security fixes are limited. Windows 10 also receives updates, but some issues remain unresolved. The Office suite addresses critical vulnerabilities, and SharePoint server updates are deemed important with no reported issues.
A busy month features multiple software updates, especially from Oracle with its Java releases. Numerous security updates are tracked, including CVE information from various vendors. Non-security updates focus on performance enhancements and bug fixes. Regular updates for browsers like Google Chrome and Firefox address security vulnerabilities. Oracle's quarterly Java updates support long-term service versions, while additional vulnerabilities are noted in products like the Horizon client, VirtualBox and Python.

Key Takeaways
Microsoft resolved 72 new CVEs, including five zero-day exploits.
Windows 11 and Server 2025 update for May includes three AI features and considerably larger installer size (~4GB).
Adobe released 13 updates resolving 39 CVEs, 33 of which are rated Critical.
May Patch Tuesday resolves five actively exploited and two publicly disclosed vulnerabilities. Spoiler alert: all five zero-days are resolved by deploying the Windows OS update. Also, this month Windows 11 and Server 2025 updates include some new AI features, but they carry a lot of baggage. Literally – they are around 4GB! New AI features include Recall, Click to Do and Improved Windows Search.
Microsoft has resolved a total of 72 new CVEs this month, six of which are rated Critical. The five zero-day vulnerabilities are rated Important, but using a risk-adjusted scoring model they would all be rated Critical.
Microsoft exploited vulnerabilities
Microsoft resolved an Elevation of Privilege vulnerability in Windows Ancillary Function Driver for WinSock (CVE-2025-32709) that could allow an attacker to elevate privileges locally to gain administrator privileges. The vulnerability affects Windows Server 2012 and later OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.
Microsoft resolved a pair of Elevation of Privilege vulnerabilities in Windows’ Common Log File System Drive (CVE-2025-32706 and CVE-2025-32701) that could allow an attacker to elevate privileges locally to gain SYSTEM privileges. The vulnerabilities affect all Windows OS versions. The vulnerabilities are confirmed to be exploited in the wild. Microsoft’s severity rating for both CVEs is Important and CVSS 3.1 of 7.8. Risk-based prioritization warrants treating these vulnerabilities as Critical.

Chapters:

0:00 - Microsoft & Security Updates

1:16 - Windows & Office Updates

3:14 - SharePoint Server Fixes