Tyler Reguly, Associate Director, Security R&D, Fortra
Welcome to the Everything but the Kitchen Sink of Patch Tuesdays… it feels like Microsoft decided to take all their odds and ends and fix them this month. Thankfully cumulative updates make the job of dealing with these types of patch drops a little easier, but whenever I see this, my immediate thought is, “What will get missed?”
I think there are two CVEs that everyone will be talking about today.
The first is CVE-2025-47981, which will be at the top of everyone’s list. This heap-based buffer overflow in Windows SPNEGO Extended Negotiation can allow for remote, unauthenticated code execution. This is a worst-case scenario and, to top it all off, Microsoft says that exploitation is more likely with this vulnerability.
Interestingly, Microsoft indicates that this affects Windows 10 1607 and above due to a GPO being enabled by default. Specifically, “Network security: Allow PKU2U authentication requests to this computer to use online identities.” More details on this setting are available from learn.microsoft.com. Based on Microsoft’s presentation of the information, disabling this GPO will mitigate this vulnerability.
It’s no secret that a lot of organizations run outdated software in places like ATMs, kiosks, and end-user terminals. According to statscounter, Windows 7 still has more than a 2% market share. Could these unpatched devices be vulnerable to this network-based attack if someone enabled the GPO?
The other CVE that I suspect will be discussed is CVE-2025-49719, an information disclosure in Microsoft SQL Server. Microsoft notes that this vulnerability has been publicly disclosed and can leak uninitialized memory. One interesting aspect of this vulnerability is that Microsoft mentions in the FAQ that organizations with applications that use the OLE DB driver should, “Update the drivers to the versions listed on this page, which provide protection against this vulnerability.” However, there are no OLE DB driver versions listed on the page and no updates provided in the update section. This prompts the question, “Is the OLE DB Driver impacted or is this an FAQ copy and paste error?” If the driver is impacted, where are the updates?
While I’m not a CSO, I do like to think about a CSOs job on Patch Tuesday or in relation to any patching and security risks. There are two things that stood out to me today.
Given the mismatched information in guidance for CVE-2025-49719, there’s a chance that Microsoft might update the FAQ and/or add additional updates. This could be done out of band and, if it is, will your team know about the change? The first thing I would want to know after seeing this would be whether or not my team is monitoring for updates or subscribed to update notifications. Sometimes, we fall into a habit of only checking for new data when it is expected (i.e. the second Tuesday of the month), but are we catching data that drops outside that window?
The other thing that stood out to me today was the breadth of software impacted this month. Do you know everywhere that the software is in use? A lot of organizations use the fire hose method, where they push out the patches as wide as they can, but they don’t always know that they are patching everything. This is where vulnerability management can help, but it is also limited. You can’t patch systems and software that you don’t know about, and you also can’t manage their vulnerabilities. This is where a CMDB or Configuration Management Database is critical to the survival of an organization. As a CSO, ask yourself if you have a CMDB deployed and then ask your team if it is being maintained on a regular basis. A CMDB is only as good as the last entry and if that last entry was a year ago, you are likely missing key information that could inform your patching decisions.
Related
This entry was posted on July 8, 2025 at 2:50 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Guest Post: July Patch Tuesday Commentary From Fortra -Critical CVEs Highlight Gaps in Visibility and Patch Readiness
Tyler Reguly, Associate Director, Security R&D, Fortra
Welcome to the Everything but the Kitchen Sink of Patch Tuesdays… it feels like Microsoft decided to take all their odds and ends and fix them this month. Thankfully cumulative updates make the job of dealing with these types of patch drops a little easier, but whenever I see this, my immediate thought is, “What will get missed?”
I think there are two CVEs that everyone will be talking about today.
The first is CVE-2025-47981, which will be at the top of everyone’s list. This heap-based buffer overflow in Windows SPNEGO Extended Negotiation can allow for remote, unauthenticated code execution. This is a worst-case scenario and, to top it all off, Microsoft says that exploitation is more likely with this vulnerability.
Interestingly, Microsoft indicates that this affects Windows 10 1607 and above due to a GPO being enabled by default. Specifically, “Network security: Allow PKU2U authentication requests to this computer to use online identities.” More details on this setting are available from learn.microsoft.com. Based on Microsoft’s presentation of the information, disabling this GPO will mitigate this vulnerability.
It’s no secret that a lot of organizations run outdated software in places like ATMs, kiosks, and end-user terminals. According to statscounter, Windows 7 still has more than a 2% market share. Could these unpatched devices be vulnerable to this network-based attack if someone enabled the GPO?
The other CVE that I suspect will be discussed is CVE-2025-49719, an information disclosure in Microsoft SQL Server. Microsoft notes that this vulnerability has been publicly disclosed and can leak uninitialized memory. One interesting aspect of this vulnerability is that Microsoft mentions in the FAQ that organizations with applications that use the OLE DB driver should, “Update the drivers to the versions listed on this page, which provide protection against this vulnerability.” However, there are no OLE DB driver versions listed on the page and no updates provided in the update section. This prompts the question, “Is the OLE DB Driver impacted or is this an FAQ copy and paste error?” If the driver is impacted, where are the updates?
While I’m not a CSO, I do like to think about a CSOs job on Patch Tuesday or in relation to any patching and security risks. There are two things that stood out to me today.
Given the mismatched information in guidance for CVE-2025-49719, there’s a chance that Microsoft might update the FAQ and/or add additional updates. This could be done out of band and, if it is, will your team know about the change? The first thing I would want to know after seeing this would be whether or not my team is monitoring for updates or subscribed to update notifications. Sometimes, we fall into a habit of only checking for new data when it is expected (i.e. the second Tuesday of the month), but are we catching data that drops outside that window?
The other thing that stood out to me today was the breadth of software impacted this month. Do you know everywhere that the software is in use? A lot of organizations use the fire hose method, where they push out the patches as wide as they can, but they don’t always know that they are patching everything. This is where vulnerability management can help, but it is also limited. You can’t patch systems and software that you don’t know about, and you also can’t manage their vulnerabilities. This is where a CMDB or Configuration Management Database is critical to the survival of an organization. As a CSO, ask yourself if you have a CMDB deployed and then ask your team if it is being maintained on a regular basis. A CMDB is only as good as the last entry and if that last entry was a year ago, you are likely missing key information that could inform your patching decisions.
Share this:
Like this:
Related
This entry was posted on July 8, 2025 at 2:50 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.