Microsoft's security updates: Are the threat levels exaggerated?

The security bulletins available on the Microsoft Security Response Center website, which describe the monthly update packages, have a tendency to overestimate the severity of threats. Many local vulnerabilities were incorrectly classified as remote, claiming that the exploit must originate from the network. In this way, every vulnerability could be considered remote because it wasn't directly programmed on the updated computer.

The January bulletins present dozens of vulnerabilities, many with CVSS scores of 9.8 and 8.8, indicating an attack requiring no user interaction. But is this truly the case? The top vulnerability, CVE-2025-21307, pertains to the PGM protocol, which is disabled by default. Another, CVE-2025-21311, relates to the NTLMv1 mechanism, which is also not used by default and primarily affects domain environments.

NTLM, in general, is surprisingly problematic. Its presence highlights flaws in the theme engine (Themes, CVE-2025-21308). The third "most significant" flaw, CVE-2025-21298, involves OLE and is marked as remote, supposedly requiring no user interaction.

Here is where the misuse reappears. The attack is indeed remote, as it involves an email, for example. However, the claim of no interaction is false. The details clearly state that the user must open the malicious email in a vulnerable version of Outlook themselves. This definitely qualifies as user interaction. Loading "enriched" emails in classic Outlook is currently the only network interaction method involving OLE. Due to historical reasons, Microsoft wants to phase out the old Outlook, but they still face challenges in doing so.

"Rare" and "disabled by default" are not valid reasons to lower the CVSS score. This merely indicates there is typically no urgent need to patch the theoretically most critical holes, but it's always wise to install updates at the earliest opportunity, contrary to radical opinions. No new issues have been reported so far. What about the numerous other vulnerabilities?

The telephony services (a collection of over thirty CVEs, listing them would resemble, nomen omen, a phone book), Windows Search, locally (CVE-2025-21292), Remote Desktop (CVE-2025-21309 and CVE-2025-21297, requiring a connection to a malicious server), SPNEGO (CVE-2025-21295, GSSAPI - surprise), malicious multimedia streams (CVE-2025-21291) and Active Directory (CVE-2025-21293) are areas of concern.

It turns out that most of the serious issues patched by the January updates are holes in the Telephony service, which is not commonly enabled by default. The vulnerabilities considered less severe, such as the ability to escape from Hyper-V (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335), are much more intriguing. Hyper-V, naturally, is also not enabled by default.

However, dozens of other features are enabled by default, potentially aiding criminals in exploiting less severe vulnerabilities. This underscores the importance of installing updates. For those who believe that Windows works flawlessly "right out of the box" and that updated Windows somehow ceases to function effectively, it's important to mention that every initial release of Windows has contained significant shortcomings. The latest update for Windows 11 is about 1,078 megabytes, while the update for Windows 10 is 736 megabytes, with an additional 60 needed for prerequisites.