For so few patches from Microsoft this month (57), we have seven zero-days to manage with a Patch Now recommendation for Windows and standard release schedules for Microsoft Office, Microsoft browsers (Edge) and Visual Studio. Adobe is back with a critical update for Reader, but this has not been paired (this time) with a Microsoft patch.
To help navigate these changes to their platforms, the team from Readiness has provided a helpful infographic detailing the risks of deploying updates to each platform.
Known Issues
Microsoft is still dealing with reported gaming issues (Roblox) and has two reported new known issues for this March release cycle, including:
- Windows 11: After installing this March update, USB-connected dual-mode printers supporting both USB Print and IPP Over USB may print random text, network commands, and unusual characters, often starting with “POST /ipp/print HTTP/1.1.” This issue can be mitigated using Known Issue Rollback (KIR).
- Windows 10: After installing Windows updates from January 14, 2025, or later, the Windows Event Viewer may log an error related to SgrmBroker.exe as Event 7023, but this does not trigger any visible notifications. This error occurs because the System Guard Runtime Monitor Broker Service, originally part of Microsoft Defender but no longer in use, conflicts with the update during initialization. According to Microsoft, this reported issue does not impact system performance, functionality, or security, as the service is already disabled in other supported Windows versions.
Following on from previous reports of Citrix related update issues, devices with Citrix Session Recording Agent (SRA) version 2411 may (still) be unable to complete the installation of the January 2025 Windows security update, causing the system to revert to previous updates after a restart. Affected devices may initially download and apply the update, but an error message stating “Something didn’t go as planned” appears during installation. This issue is expected to impact only a limited number of organizations, as version 2411 of SRA is newly released, and home users are not affected. I am not sure that this issue is going to be fixed soon, folks.
Major Revisions and Mitigations
Microsoft has not released or documented any mitigations or workarounds for the current set of March Patch Tuesday updates. At the time of writing, the following Chromium patches has been revised and re-released:
- CVE-2025-1920: Type Confusion in V8 (Chromium)
- CVE-2025-2135: Type Confusion in V8 (Chromium)
- CVE-2025-2136: Use After Free in Inspector (Chromium)
- CVE-2025-2137: Out of Bounds Read in V8 (Chromium)
- CVE-2025-24201: Out of Bounds Write in GPU on Mac (Chromium)
Windows Lifecycle and Enforcement Updates
Microsoft is retiring several products this month:
- Microsoft SQL Server 2019 ending mainstream support last month (Feb 28)
- Microsoft Skype to be terminated (with prejudice) this coming May.
- Windows Remote Desktop is to be replaced next month with the Windows App, noting that there are still some missing features and several known issues reported in this new release.
Over the next three months (April to May 2025), several Microsoft products are scheduled to reach their end-of-life (EOL), meaning they will no longer receive security updates, non-security updates, or technical support including:
- April 2, 2025: Dynamics 365 Business Central on-premises (2023 release wave 2, version 23.x) will reach end of servicing.
- April 8, 2025: Dynamics GP 2015 and Dynamics GP 2015 R2 will reach end of support.
- April 9, 2025: Microsoft Configuration Manager, Version 2309 will end support.
Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a comprehensive analysis of the Microsoft patches and their potential impact on Windows platforms and application deployments.
For this March release cycle there are no reported functional changes. However, feature level testing will still be required, especially for system drivers and core libraries. Due to these low-level system (kernel) changes, a full reboot/restart test will be required for all Windows UI elements including Explorer, desktop shell and Internet Explorer.
We have grouped the critical updates and required testing efforts into different functional areas, including:
File System Components
- Common Log File System: Test by creating a BLF and multiple container files, appending logs using `ReserveAndAppendLog`, and then deleting the containers.
- Core System drivers (ntfs.sys, exfat.sys & fastfat.sys): Test mounting, dismounting, and performing file operations on ExFAT volumes.
Networking & Remote Services
- If using a Routing and Remote Access Service (RRAS) server, test `netsh` scenarios to confirm commands work as expected.
- FAX: Validate TAPI initialization, shutdown, and key functions like `lineInitialize` and `lineMakeCall`. Stress test for stability and error handling.
Storage & Device Interaction
- Focus on storage subsystem tests, including operations on virtual/physical disks and storage enclosures.
- Test how Search Connector files interact with various network paths (UNC, SMB, and file system paths).
- Validate all camera-related scenarios.
Audio, Video & UI Components
- Verify audio/video recording with internal and external devices.
- Test apps like Teams and Camera that use virtual features (e.g., Phone Link, Windows Studio Effects).
Affected Versions for this update cycle include the following Windows desktop and server builds:
- Windows 11 24H2, 23H2, 22H2, Windows 10 1607, Windows 10 RTM.
- Windows Server 23H2, Azure Stack OS 22H2, Windows Server 2022
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office
- Microsoft Exchange and SQL Server
- Microsoft Developer Tools (Visual Studio and .NET)
- Adobe (if you get this far)
Browsers
MIcrosoft has released ten low-profile (no rating from Microsoft) updates to their Edge (Chromium based) browser. These browser changes can be added to your standard release calendar.
Microsoft Windows
The following Windows product areas have been updated with five critical rated patches and 32 remaining patches rated important for this March patch cycle:
- CVE-2025-24035: Windows Remote Desktop Services Remote Code Execution Vulnerability
- CVE-2025-24064: Windows Domain Name Service Remote Code Execution Vulnerability
- CVE-2025-24084: Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability
- CVE-2025-26645: Remote Desktop Client Remote Code Execution Vulnerability
Unfortunately, three of these updates (CVE-2025-24984, CVE-2025-24984 and CVE-2025-24984) have been reported as exploited. Add these Windows updates to your “Patch Now” schedule.
Microsoft Office
Microsoft has released a single critical update (CVE-2025-24057) and ten patches rated as important for the Microsoft Office platform. All of the important updates affect Microsoft Word, Excel and Access with no reports of disclosures or exploitation. Add these Microsoft Office updates to your standard release calendar.
Microsoft Exchange and SQL Server
No updates for either Microsoft Exchange or SQL Server this March update cycle.
Developer Tools
Microsoft has released 5 patches, all rated as important by Microsoft, that affect Microsoft Visual studio and ASP.NET. Add these updates to your standard developer release schedule.
Adobe (and 3rd party updates)
This March, Adobe released a security update (APSB25-14) Acrobat and Reader for Windows and macOS which addresses six critical and three important vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak. Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates. For some reason this update was not included in this Microsoft patch cycle. Maybe this is the way things should be.
