Welcome to my April 2025 Patch Monday newsletter! It's been a busy month for our normal vendors in the chart below. Let's focus on the zero days first. From Apple we have a privilege escalation vulnerability affecting Apple's CoreMedia component. This affects macOS Ventura and Sonoma. There is also another zero day affecting CoreAudio in macOS Sequoia and iOS and iPadOS which could allow arbitrary code to be ran. We also have an out-of-bounds write issue zero day affecting WebKit on Apple Watches series 6 or later and iOS/iPadOS. Finally we have a pretty sophisticated physical attack that could allow a bad actor to disable USB Restricted Mode on a locked device running iOS and iPadOS. So we have a handful of Apple zero days in the last month. Make sure you get all these devices up to date.
In addition to these, Chrome released updates to address 19 vulnerabilities in the last 30 days. Of these, 3 are rated high and 1 is rated critical. The good news is none are reported to be either publicly known or actively exploited. But, you will want to make sure your browsers get restarted to finalize these updates.
Besides these it was a pretty standard month for Adobe, Mozilla and Zoom. See the chart below for the rest of the patches.
This month's newsletter sponsor, LOGbinder, released a new version of Supercharger for Windows Event Collection recently. I hosted a webinar for them where we discussed all the steps to setup Windows Event Collection for "internet" aka "off network" endpoints. Then we showed how Supercharger takes this huge process and makes it extremely easy to get done. Even if you missed it you can register to watch the recording now.
Be sure to browse the chart below and happy patching!
|
|
So, without further ado, here’s the chart of non-Microsoft 3rd party patches that affect Windows platforms in the past month.
|
Patch data provided by: |
 |
||||
|
Identifier |
Vendor/ |
Affected Versions |
Date Released |
Vulnerability Info |
Vender Severity / Our Recommedation |
|
Adobe Coldfusion |
2025 Build 331385 |
4/8/2025 |
Arbitrary Code Execution, Arbitrary File System Read, Security Feature Bypass |
Critical Priority 1: Update within 72 hours |
|
|
Adobe After Effects |
24.6.4 and earlier |
4/8/2025 |
Application DoS, Arbitrary Code Execution, Memory Leak |
Critical Priority 3: Update at admins discretion |
|
|
Adobe Media Encoder |
24.6.4 and earlier |
4/8/2025 |
Arbitrary Code Execution |
Critical Priority 3: Update at admins discretion |
|
|
Adobe Bridge |
14.1.5 and earlier |
4/8/2025 |
Arbitrary Code Execution |
Critical Priority 3: Update at admin's discretion |
|
|
Adobe Commerce |
Commerce/Magento Open Source 2.4.8-beta2, |
4/8/2025 |
Application DoS, Privilege Escalation, Security Feature Bypass |
Important Priority 2: Update within 30 days |
|
|
Adobe Experience Manager Forms |
6.5.22.0 (AEMForms-6.5.0-0093) and earlier |
4/8/2025 |
Case Sensitive Match Exception, Path Traversal |
Priority 2: Update at admins discretion |
|
|
Adobe Premiere Pro |
24.6.4 and earlier |
4/8/2025 |
Arbitrary Code Execution |
Critical Priority 3: Update at admins discretion |
|
|
Adobe Photoshop |
2025 26.4.1 and earlier |
4/8/2025 |
Arbitrary Code Execution |
Critical Priority 3: Update at admins discretion |
|
|
Adobe Animate |
2023 23.0.10 and earlier |
4/8/2025 |
Arbitrary Code Execution, Memory Leak |
Critical Priority 3: Update at admins discretion |
|
|
Adobe Experience Manager Screens |
AEM 6.5 Screens FP11.3 and earlier |
4/8/2025 |
Arbitrary Code Execution |
Important Priority 2: Update within 30 days |
|
|
Adobe FrameMaker |
2020 Release Update 7 and earlier |
4/8/2025 |
Application DoS, Arbitrary Code Execution, Memory Leak |
Critical Priority 3: Update at admins discretion |
|
|
Adobe XMP Toolkit SDK |
2023.12 and earlier |
4/8/2025 |
Memory Leak |
Important Priority 3: Update at admins discretion |
|
|
Apple macOS Ventura |
Before 13.7.5 |
3/31/2025 |
Arbitrary Code Execution, Buffer Overflow, Denial of Service, Information Leak, Memory Leak, Out of Bounds Read/Write, Privilege Escalation, Race Condition, Security Feature Bypass, Type Confusion, Unauthorized Access, Use After Free |
Update ASAP | |
|
Apple macOS Sonoma |
Before 14.7.5 |
3/31/2025 |
Arbitrary Code Execution, Buffer Overflow, Denial of Service, Information Leak, Library Injection, Memory Leak, Out of Bounds Read/Write, Privilege Escalation, Race Condition, Security Feature Bypass, Type Confusion, Unauthorized Access, Use After Free |
Update ASAP | |
|
Apple macOS Sequoia |
Before 15.4.1 |
4/16/2025 |
Arbitrary Code Execution, Buffer Overflow, Denial of Service, Information Leak, Memory Leak, Out of Bounds Read/Write, Privilege Escalation, Race Condition, Security Feature Bypass, Type Confusion, Unauthorized Access, Use After Free |
Update ASAP | |
|
Apple Safari |
Before 18.4 |
3/31/2025 |
Buffer Overflow, Cross Site Scripting, Information Leak, Security Feature Bypass, Spoofing, Type Confusion, Unauthorized Access, Use After Free |
Update after testing | |
|
Apple iOS |
iOS/iPadOS before 18.4 |
3/31/2025 |
Arbitrary Code Execution, Cross Site Scripting, Data Leak, Denial of Service, Memory Leak, Out of Bounds Read, Security Feature Bypass Type Confusion, Unauthorized Access, Use After Free |
Update ASAP | |
|
Apple watchOS |
before 11.4 |
4/1/2025 |
xArbitrary Code Execution, xBuffer Overflow, Cross Site Scripting, Data Leak, Denial of Service, xMemory Leak, xOut of Bounds Read, xSecurity Feature Bypass, Type Confusion, xUnauthorized Access, Use After Free |
Update ASAP | |
|
Google |
Before 135.0.7049.114 (Linux) |
4/22/2025 |
Heap Buffer Overflow, Inappropriate Implementation, Use After Free |
Update after testing | |
|
Mozilla Thunderbird |
Before 138 |
4/29/2025 |
Arbitrary Code Execution, Cross Site Forgery, Information Leak, Out of Bounds, Privilege Escalation, Spoofing, Use After Free, User Confusion |
Update after testing |
|
|
Mozilla Thunderbird ESR |
Before 128.10 |
4/29/2025 |
Arbitrary Code Execution, Information Disclosure, Out of Bounds, Privilege Escalation, Spoofing, Use After Free |
Update after testing |
|
|
Mozilla Firefox |
Before 138 |
4/29/2025 |
Arbitrary Code Execution, Cross Site Forgery, Information Leak, Out of Bounds, Privilege Escalation, Race Condition, Spoofing, Use After Free, User Confusion |
Update after testing |
|
|
Mozilla Firefox ESR |
Before 128.10 |
4/29/2025 |
Arbitrary Code Execution, Out of Bounds, Privilege Escalation, Spoofing, Use After Free |
Update after testing |
|
|
Zoom Workplace Apps for Windows |
Desktop App before 6.3.10 |
4/8/2025 |
Loss of Integrity |
Update after testing |
|
|
Zoom Workplace Apps for Windows |
Desktop App before 6.3.10 |
4/8/2025 |
Denial of Service |
Update after testing |
|
|
Zoom Workplace Apps |
Desktop App for Windows/macOS/Linux before 6.3.10 |
4/8/2025 |
Cross Site Scripting |
Update after testing |
|
Thanks as always for reading and best wishes on security,
Randy Franklin Smith
Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, All rights reserved. You may forward this email in its entirety but all other rights reserved.
9450 SW Gemini Drive #53822, Beaverton, OR 97008
Note: We do our best to provide quality information and expert commentary but use all information at your own risk.