Microsoft has released the largest Tuesday patch package for its software in recent years.

On Tuesday, January 14, Microsoft traditionally released a major package of security updates. This release was the largest in recent years, with 159 vulnerabilities fixed in Windows, Office, Edge and other applications and services, which is almost double the usual number of fixes. According to Microsoft, three of these vulnerabilities are already being exploited in the wild, and another five were previously publicly known.

Image source: Microsoft

Microsoft has traditionally provided limited information about vulnerabilities for self-analysis in the Security Update Guide. It is known that the bulk of the fixes, 132 vulnerabilities, affect various versions of the Windows OS supported by Microsoft (Windows 10, Windows 11 and Windows Server).

According to the company, three of the fixed Windows security vulnerabilities are being actively exploited. Hyper-V vulnerabilities CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 allow established attackers to execute code with elevated privileges from a guest system. Information on the extent of use of these exploits is not disclosed.

Microsoft classifies eight Windows vulnerabilities as critical. For example, the vulnerability CVE-2025-21298 in Windows OLE (CVSS 9.8) can be exploited through a specially crafted email if it is opened in Outlook. Enabling attachment preview may lead to the injection and execution of malicious code.

Vulnerabilities CVE-2025-21297 and CVE-2025-21309 (CVSS 8.1) in the server’s Remote Desktop Services could be used by attackers to launch a remote attack without requiring the user to log in.

We also fixed 28 similar remote code execution vulnerabilities (RCE, CVSS 8.8) in the Windows Telephony service. These vulnerabilities are classified as high-risk, but there is no evidence of their exploitation by attackers.

Microsoft has fixed 20 vulnerabilities in Office products. These include RCE vulnerabilities in Word, Excel, Outlook, OneNote, Visio and SharePoint Server. Three RCE vulnerabilities in Access are classified as zero-day vulnerabilities.

The update package also includes a security patch for the Microsoft Edge browser – version 131.0.2903.146 dated January 10, based on Chromium 131.0.6778.265. However, detailed documentation for this update is not yet available. The fixes are likely similar to those made by Google in the latest version of Chrome, which addressed a number of high-risk vulnerabilities.

Microsoft has once again urged users of legacy versions of Windows 7 and 8.1 to upgrade to Windows 10 or Windows 11 to continue receiving security updates. The next regular Patch Tuesday is scheduled for February 11, 2025.