微软公司在2025年12月发布了54个缺陷的更新,包括两个影响视窗、办公室和GitHub共同试点的主动利用零日。 Microsoft issued December 2025 updates for 54 flaws, including two actively exploited zero-days affecting Windows, Office, and GitHub Copilot.

微软公司在2025年12月发布了针对54个脆弱性的最新消息,包括两个积极利用的零日。 Microsoft released December 2025 updates addressing 54 vulnerabilities, including two actively exploited zero-days. CVE 2025-62221, Windows Cloud 文件驱动器的缺陷,使攻击者能够通过当地代码执行获得系统一级的访问权限,并已投入使用。 CVE-2025-62221, a Windows Cloud Files driver flaw, allows attackers to gain SYSTEM-level access with local code execution and is already in use. CVE-2025-54100绕过Windows的Windows网站保护标记,使得在文件保存前可以执行恶意代码,主要影响PowerShell 5.1,现在需要用户提示。 CVE-2025-54100 bypasses Windows’ Mark of the Web protection, enabling malicious code execution before file saves, primarily affecting PowerShell 5.1, which now requires user prompts. GitHub喷气管联合飞行员的缺陷(CVE-2025-64671)可能允许通过AI代码建议任意执行指令。 A flaw in GitHub Copilot for JetBrains (CVE-2025-64671) could allow arbitrary command execution via AI code suggestions. 两个办公室弱点(CVE-2025-62554、CVE-2025-62557)仅通过预览恶意电子邮件或文件,就使远程代码执行成为可能。 Two Office vulnerabilities (CVE-2025-62554, CVE-2025-62557) enable remote code execution just by previewing malicious emails or files. 该批不包括浏览器和公开源码补丁,这些补丁以前在12月处理过。 The batch excludes browser and open-source patches, previously addressed in December. Powershell 7 不受影响; Powershell 5.1 用户应使用 - 使用基本打印参数以避免脚本问题。 PowerShell 7 is unaffected; users of PowerShell 5.1 should use the -UseBasicParsing parameter to avoid script issues. 敦促各组织优先处理因积极开采和高风险潜力造成的补丁问题。 Organizations are urged to prioritize patching due to active exploitation and high-risk potential.