微软在2025年8月的补丁星期二发布了安全更新,修复了107个漏洞,包括一个公开披露的Windows Kerberos零日漏洞(CVE-2025-53779),该漏洞允许攻击者获取域管理员权限。此外,还修复了一个高危堆溢出漏洞(CVE-2025-53766),可导致远程代码执行。 2025-8-12 22:50:10 Author: securityaffairs.com(查看原文) 阅读量:14 收藏
August 2025 Patch Tuesday fixes a Windows Kerberos Zero-Day
Microsoft Patch Tuesday security updates for August 2025 fixed 107 flaws, including a publicly disclosed Windows Kerberos zero-day.
Microsoft Patch Tuesday security updates for August 2025 fixed 107 vulnerabilities in Windows and Windows Components, Office and Office Components, Microsoft Edge (Chromium-based), Azure, GitHub Copilot, Dynamics 365, SQL Server, and Hyper-V Server.
12 vulnerabilities are rated Critical, 93 are rated Important, one is rated Moderate, one is rated Low in severity.
One of the flaws, tracked as CVE-2025-53779 (CVSS score 7.2), is a Windows Kerberos zero-day that was publicly disclosed. An authenticated attacker can trigger the vulnerability to gain domain admin rights via relative path traversal.
“An attacker who successfully exploited this vulnerability could gain domain administrator privileges.” reads the advisory. “To successfully exploit this vulnerability, an attacker would need to have elevated access to certain attributes of the dMSA, specifically:
- msds-ManagedAccountPrecededByLink: The attacker needs write access to this attribute, which allows them to specify a user that the dMSA can act on behalf of.”
- msds-groupMSAMembership: This attribute allows the user to utilize the dMSA.”
The most severe vulnerability addressed by Microsoft is a heap-based buffer overflow in Windows GDI+, tracked as CVE-2025-53766 (CVSS score of 9.8), that allows an unauthorized attacker to execute code over a network.
The flaw can be exploited via a crafted metafile in a document, potentially even through web uploads without user interaction, posing high-risk scenarios.
“An attacker doesn’t require any privileges on the systems hosting the web services. Successful exploitation of this vulnerability could cause Remote Code Execution or Information Disclosure on web services that are parsing documents that contain a specially crafted metafile, without the involvement of a victim user.” reads the advisory.
The full list of CVEs addressed by Microsoft with the release of Patch Tuesday security updates for August 2025 is available here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Patch Tuesday)
如有侵权请联系:admin#unsafe.sh