March 2025 Patch Tuesday forecast: A return to normalcy

The February Patch Tuesday updates and activity during the month marked a return to normalcy for patch management. Following the January updates addressing 100+ vulnerabilities, we saw 37 CVEs fixed in Windows 11 and 33 CVEs in Windows 10. This was rounded out by 8 CVEs addressed in the Office 365 online versions and Office 2016 in standalone form.

Microsoft made a few announcements and fixes in the last month you should be aware of. A January non-security update and February security update for the operating system impacted some drag-and-drop functionality in Outlook. This has been resolved in the March preview release. The preview also includes a fix for the SSH connections issue, which has been in effect since October 2024 across multiple operating systems. They also announced they have implemented a service-level fix for CVE-2025-24989, which existed in Power Pages on the Microsoft Power Platform. This vulnerability “allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control” per Microsoft. We’ll need to be on the lookout for these fixes in the upcoming Tuesday releases.

Microsoft added to their upcoming end-of-life product list with the announcement that after 14 years, the Skype service will go offline on May 5th. Customers are encouraged to move to Teams which provides many of the same services. As I mentioned last month, Patch Tuesday on October 14, 2025 will be a momentous day, with the final updates being released for Windows 10, Exchange Server 2016 and Exchange Server 2019. As they did for Skype, Microsoft provided a 60-day warning in February they would deprecate WSUS driver synchronization on April 18, 2025. They will continue to be available in the update catalog, but you won’t be able to import them into WSUS. Ensure you are planning ahead for all these critical events.

The threats to our systems never end, but there are two that stood out to me this month. The first involves the use of polymorphic extensions in Google Chrome. Devised by SquareX labs, there are a number of steps from getting the user to download a malicious extension to eventually exporting sensitive information, but the scary part is that the malicious extension can swap back in the real one to look authentic. The second is a series of botnet attacks targeted at Microsoft O365 accounts worldwide. The goal is to use Basic Authentication (Basic Auth) to bypass Multi-Factor Authentication (MFA) protections and gain unauthorized access without triggering security alerts. The good news is that Microsoft is disabling the Basic Auth services on any remaining accounts in September 2025 and switching to OAuth2 requiring MFA.

March 2025 Patch Tuesday forecast

• Microsoft will most likely release a few more security fixes in operating system updates than the 37 CVEs in February. In addition to the OS updates, there may be an Exchange update based on some of the preview work.
• Adobe updated many of their Creative Cloud apps last month, so I don’t expect many updates there this month. The next big Adobe Acrobat and Reader updates will most likely come in April with the new quarter.
• Apple provided OS and application updates across the board on Feb 10. While they are due for another round, they most likely will appear later in the month if they keep their current cadence.
• Google released Chrome Desktop 135 to the Beta channel for Windows, Mac and Linux so expect the GA release next week.
• In their usual release cadence, the Mozilla Foundation released security updates this week. The three ESR versions were marked Critical this month, while Firefox and Thunderbird 136 were rated High. As always, include these in your Patch Tuesday mix if you haven’t deployed them already.

It looks like a pretty ‘normal’ Patch Tuesday coming up next week. We’ll see fixes for Outlook and the SSH connection issues, but we’ll have to wait and see on the extent of the security updates. Outside of Microsoft, we’re really only anticipating the usual weekly release of Chrome on Tuesday.