CERT-In Urges Immediate Patch for Edge, Windows Storage, Certificates, Databricks

The Indian government’s cybersecurity arm has issued a high-severity alert advising organisations and individuals to urgently address a batch of patched—but still dangerous—vulnerabilities across multiple Microsoft products, including Microsoft Edge (Chromium-based), Windows Server storage components, Windows certificate handling, the MBT Transport (netbt) driver, Microsoft PC Manager, and Azure Databricks. The advisory follows Microsoft’s recent Patch Tuesday wave and national-level analysis that underscores a cross‑product risk profile: unpatched systems could allow remote code execution, elevation of privileges, certificate spoofing, or other bypasses that enable ransomware, data theft, or persistent access. (english.mathrubhumi.com, bleepingcomputer.com)

Background​

Microsoft’s August 2025 patch cycle fixed dozens of issues across the Windows and Azure ecosystems; security researchers and national CERTs subsequently highlighted a set of individual fixes that, together, form a material risk for many enterprises. Several national and regional incident response teams have issued advisories recommending immediate patching of affected components and prioritising internet‑facing and high‑value assets. These warnings are not hypothetical: the vulnerabilities span common attack classes—remote code execution (RCE), privilege escalation, improper access control and certificate/spoofing weaknesses—which are routinely weaponised in enterprise-targeted intrusions. (bleepingcomputer.com, cert.europa.eu)
Microsoft has published product‑specific advisories and cumulative updates for affected items; however, large and distributed IT estates often lag in deployment, and cloud‑hosted services (like Azure Databricks clusters and Purview components) require different completion steps—inventory, cluster restarts, or control plane setting changes—beyond simply installing an OS patch. CERTs emphasise that patch availability does not equal patch presence. (learn.microsoft.com, nvd.nist.gov)

---

What CERT‑In said — executive summary​

• CERT‑In categorised the advisory as high severity and listed the core product areas of concern: Microsoft Edge (Chromium-based), Windows Server (storage components), Windows Certificates component, MBT Transport driver (netbt), Microsoft PC Manager, and Azure Databricks.
• The advisory warns these flaws could enable arbitrary code execution, elevation of privileges, bypass of security controls and cryptographic signature spoofing—outcomes that align with ransomware and advanced data‑exfiltration scenarios.
• The agency’s core recommendation is immediate application of vendor patches and increased operational vigilance, especially for enterprise endpoints, servers and cloud service accounts. (english.mathrubhumi.com)

This national note mirrors guidance issued by other computer emergency response teams and security organisations: treat the update as high priority, with public‑facing and critical infrastructure assets at the top of the patch queue. (cert.europa.eu, cisecurity.org)

---

Overview of affected components — what they are and why they matter​

Microsoft Edge (Chromium-based)​

Microsoft Edge consumes security fixes from the Chromium open‑source project and ships periodic stable releases that include those fixes. Several severe Chromium‑level CVEs were addressed in recent Edge releases; many of these are memory‑safety or input‑validation issues (V8, Mojo, layout components) that can be exploited by a crafted webpage or malicious file to trigger remote code execution in the context of the browser process. Because modern browsers are a primary attack vector for commodity and targeted attacks alike, a vulnerable browser on a corporate endpoint can provide an initial foothold or lateral pivot capability. Microsoft has released relevant Edge builds and release notes documenting the fixed CVEs. (learn.microsoft.com, lifewire.com)
Practical note: enterprise fleets often delay browser updates for compatibility tests; that window creates risk. Edge’s built‑in update mechanisms and the new “instant updates” option can reduce that window for consumer and managed devices—but in managed environments, update cadence must be coordinated with application compatibility testing. (support.microsoft.com)

Windows Server — Storage components​

The Windows Server storage stack and several kernel‑adjacent drivers received fixes for vulnerabilities that could lead to privilege escalation or information disclosure. Storage components are attractive to attackers because they touch files and metadata at a low level; successful exploitation can lead to persistent access, elevation to SYSTEM, or corrupted integrity controls that bypass backup/restore protections. These issues require OS-level updates and, for clusters or hyperconverged systems, careful sequencing to avoid disruption. (bleepingcomputer.com)

Windows Certificates component​

Flaws in certificate handling or signature verification can permit spoofing or bypass of cryptographic checks—an especially sensitive category because certificates underlie code signing, Secure Boot trust chains, and TLS trust validation. A flaw here could allow an attacker to craft artifacts that pass signature checks, open paths for kernel‑level tampering, or undermine TLS-based protections, potentially enabling supply‑chain or man‑in‑the‑middle attacks. Vendor advisories show certificate and key‑related fixes among recent updates. (bleepingcomputer.com, techcommunity.microsoft.com)

MBT Transport driver (netbt.sys)​

The MBT Transport driver implements NetBIOS over TCP/IP (NetBT), a legacy but still common protocol in enterprise networks. Security researchers found an integer underflow/overflow (or similar arithmetic/buffer allocation logic) that can be weaponised to corrupt kernel memory and escalate privileges to SYSTEM. Kernel‑mode driver vulnerabilities are especially dangerous because a successful exploit can pivot a user‑level compromise into full host takeover. Vendors have published CVE entries and mitigations for netbt‑related issues. (zeropath.com, bleepingcomputer.com)

Microsoft PC Manager​

Microsoft PC Manager (a desktop utility shipped to OEM and some consumer devices) has had a number of local privilege‑escalation flaws reported and patched. Several are path/“link following” or insecure service‑loading issues where an attacker with low privileges can place crafted files or symlinks to be consumed by a higher‑privilege service, causing code execution under elevated context. These are typically fixed with application updates but require endpoint fleet patching and, where possible, removal of unnecessary utilities. (cvedetails.com, zerodayinitiative.com)

Azure Databricks (and related Purview / governance)​

Cloud platform components—including Azure Databricks and Microsoft Purview governance—have been flagged for improper access control or authorization weaknesses allowing privilege escalation across workspace boundaries or from lower‑privilege service identities to admin scopes. Cloud vulnerabilities are frequently network‑exploitable and can enable lateral movement to storage accounts, Key Vaults, or data exfiltration. Mitigations often require vendor patches, runtime/driver upgrades and administrative actions like token rotation and RBAC tightening. (nvd.nist.gov, windowsforum.com)

---

Technical analysis — attack paths, exploitability and real world risk​

The flagged issues fall into predictable, high‑impact categories:

• Remote Code Execution (RCE) in a browser or graphics component: attacker only needs to get a user to visit a malicious page or open a crafted file to run code. Exploits for Chromium‑level bugs are frequently weaponised in targeted campaigns. (learn.microsoft.com, bleepingcomputer.com)
• Kernel/driver vulnerabilities (MBT/Storage): these allow escalation to SYSTEM or kernel memory corruption. Once an attacker gains kernel privileges, endpoint containment and forensic recovery become substantially more complex. (zeropath.com)
• Improper access control in cloud services (Azure Databricks): these can permit privilege escalation or lateral movement inside the cloud tenant. The attack surface differs from on‑premises; attackers often combine stolen tokens, misconfigured RBAC, or misapplied public endpoints to achieve effective control. (nvd.nist.gov)
• Certificate/spoofing issues: the risk is asymmetric—if certificates used for code signing or Secure Boot are spoofed, attackers can run code that appears legitimate or bypass boot‑level protections. Such weaknesses are rare but catastrophic. (techcommunity.microsoft.com)

Exploitability is context dependent. Some CVEs require local authentication or specific privileges; others are network‑exploitable with little or no interaction. For defenders, priority should be given to issues with either (a) public exploit proof‑of‑concepts, (b) network‑accessible attack vectors, or (c) potential for lateral movement once exploited.
Independent security trackers and national CERTs have published CVE lists and guidance; Microsoft’s Security Update Guide lists the patched CVE IDs and the mitigations or fixes available. Administrators should cross‑reference their environment against vendor release notes and the US/European/Indian advisories to triage urgency. (bleepingcomputer.com, cert.europa.eu)

---

Why businesses must care now — impact scenarios​

• Ransomware chain: a browser RCE plus a kernel privilege escalation can allow an attacker to deploy ransomware across a domain, bypassing endpoint protections.
• Data theft from cloud: Azure Databricks privilege escalation could allow an attacker to export sensitive datasets from a data lake or to manipulate job definitions to siphon data to external endpoints.
• Supply‑chain trust erosion: certificate spoofing or signing bypasses threaten system boot integrity and code provenance, making long‑term remediation and trust rebuilding costly and slow.
• Compliance, fines and operational impact: data breaches involving regulated datasets (PII, financial records, healthcare) carry immediate regulatory, reputational and financial consequences.

Given the mix of endpoint, server, and cloud exposures, a piecemeal update campaign risks leaving chained attack paths open—attackers typically look for the weakest remaining component to pivot through. (cert.europa.eu, windowsforum.com)

---

What to do right now — emergency checklist for IT teams​

• Inventory & prioritise
• Inventory all systems running the affected components: Edge versions, Windows Server SKUs (storage roles), PC Manager installations, and all Azure Databricks workspaces. Prioritise internet‑facing, privileged and high‑value datasets.
• Use existing asset management and EDR tooling to report current software versions and presence of the vulnerable services.
• Apply vendor patches immediately
• For Microsoft Edge, open Edge → Settings and more (three dots) → Help and feedback → About Microsoft Edge. Allow the browser to check for and install updates, then restart as instructed. In managed environments, apply the approved Edge update channel packages via your patching tool. (lifewire.com, learn.microsoft.com)
• For Windows Server and kernel/driver fixes, deploy the Aug‑2025 (or vendor‑specified) cumulative updates using your standard patch pipeline (WSUS, SCCM/Endpoint Configuration Manager, or another patch orchestration tool). Sequence reboots and cluster updates to avoid service disruption. (bleepingcomputer.com)
• For Microsoft PC Manager, push vendor updates or uninstall the utility where unnecessary; treat any non‑essential OEM tools as optional attack surface. (cvedetails.com)
• For Azure Databricks, follow the vendor’s guidance: patch control plane updates where offered, update cluster runtime versions and JDBC/driver components where applicable, and restart long‑running clusters to pick up runtime fixes. Rotate tokens and service principals as required. (kb.databricks.com, ogma.in)
• Harden and mitigate where patching will take time
• Apply network segmentation and micro‑segmentation for critical services.
• Block or restrict NetBIOS/SMB over untrusted networks to contain MBT/netbt exposure.
• Enforce strict RBAC in cloud: least privilege, conditional access and MFA for admin actions.
• Temporarily disable or restrict PC Manager features until patched.
• Detection & response
• Hunt for suspicious signs: abnormal process creation from browser processes, unexpected SYSTEM token usage, lateral SMB/NetBIOS traffic spikes, or Databricks job creations from unknown principals.
• Capture and retain forensic logs: EDR telemetry, Windows Event Logs (Security, System), Sysmon, AD logs, and Azure audit logs.
• Prepare containment playbooks: isolate machines, revoke tokens, rotate credentials, and freeze Databricks workspace access if evidence is found.
• Communication & governance
• Notify leadership, the incident response team, and legal/compliance teams.
• Record patch decisions, risk acceptance or compensating controls in change and risk registers.
• If you are in India or handle Indian citizen data, follow CERT‑In disclosure/notification guidance if an incident occurs. (english.mathrubhumi.com)

---

Step‑by‑step: updating Microsoft Edge (practical)​

• Open Microsoft Edge.
• Click the three‑dot menu (Settings and more) at the top right.
• Select Help and feedback → About Microsoft Edge.
• Edge will automatically check for updates; if an update is downloaded, select Restart to apply it.
• For managed fleets, deploy the latest stable or Extended Stable Channel packages through enterprise update tooling and ensure compatibility testing is completed before mass rollout. (lifewire.com, support.microsoft.com)

For organisations using browser extension policies or locked down environments, ensure update policies permit the rapid deployment of security fixes and use feature‑control policies to temporarily restrict extension execution where suspicious activity is detected.

---

Cloud specifics: Azure Databricks mitigation checklist​

• Inventory: list all workspaces, clusters, jobs, service principals and tokens.
• Patching: apply provider updates to the Databricks control plane and runtime versions; restart clusters where the fix requires a runtime update.
• Access control: enforce least‑privilege roles, limit service principal scopes, and require MFA for privileged users.
• Networking: use Private Link, restrict public IP exposure, and employ network-level IP whitelisting where possible.
• Secrets & keys: rotate service tokens and keys; move to managed identities where possible.
• Logging & monitoring: centralise Databricks audit logs and integrate into SIEM for behavioural detection. (windowsforum.com, ogma.in)

---

Enterprise patch program best practices — beyond the immediate fix​

• Shift‑left testing: maintain a fast path for security patches that bypasses long QA cycles for critical CVEs following a brief application compatibility check.
• Canary rollout: use staged deployments with telemetry checks before widescale rollout; automatically revert if compatibility issues surface.
• Cross‑product correlation: patch windows should consider chains (browser RCE + kernel EoP). Treat chained vectors as highest priority.
• Asset hygiene: eliminate or replace legacy services (NetBIOS/NetBT) where they are no longer needed; reduce attack surface by removing unused utilities (PC Manager style tools).
• Cloud governance: formalise runtime update policies for managed clusters and ensure service owner accountability for cluster restarts and driver updates.

---

Strengths and mitigations in Microsoft’s current posture​

• Strengths:
• Microsoft’s consolidated Patch Tuesday model and Security Update Guide centralise CVE information, making vendor fixes discoverable and actionable.
• Edge’s alignment with Chromium means many upstream fixes are available quickly to Edge users once Microsoft packages them.
• Cloud services often permit targeted remediation steps (runtime upgrades, controlled restarts, configuration changes) without full tenant downtime.
• Remaining weaknesses / risks:
• Many organisations continue to run delayed update cadences for compatibility or operational reasons, leaving long windows where one weak link can be exploited.
• Legacy protocols and utilities (NetBIOS, third‑party OEM management tools) remain present in many corporate networks and are attractive pivot points.
• Cloud misconfigurations and stale tokens are persistent sources of post‑exploit lateral movement that patches alone cannot fix. (learn.microsoft.com, zerodayinitiative.com)

---

What defenders commonly miss (and should not)​

• Treating browser and cloud patches independently. An attacker will chain a browser‑based foothold into cloud access if local credentials or tokens can be harvested.
• Not restarting long‑running clusters or services. Some cloud fixes require runtime or driver restarts to take effect; counting a patch as “applied” without a restart is a false positive.
• Assuming consumer‑grade tools (like PC Manager) are harmless: desktop utilities with services running as SYSTEM are often overlooked but have caused real incidents.
• Ignoring certificate lifecycle items: Secure Boot, code signing, and certificate expiry/rotation planning must be part of the long‑term remediation plan. Microsoft has highlighted upcoming Secure Boot certificate rollovers that organisations must plan for. (techcommunity.microsoft.com)

---

When patching is not immediate — compensating controls​

• Increase monitoring and EDR sensitivity on endpoints, with focused rules for unusual child processes of browser binaries or unexpected driver/module loads.
• Block or tightly restrict SMB/NetBIOS traffic at network boundaries and segment server/storage clusters.
• Enforce conditional access and block legacy authentication paths that could be abused to escalate privileges in cloud platforms.
• Use application allowlists and exploit mitigation features (Control Flow Guard, DEP/ASLR) to raise exploitation difficulty.

---

How to communicate this to non‑technical leadership​

• Frame the risk in business terms: “Unpatched systems could lead to unauthorized access to customer and financial data, possible regulatory fines, disruption to operations, and remediation costs that include ransom or recovery.”
• Present a concise action plan with costed options: immediate emergency patching (high cost, fast), staged rollouts with compensating controls (moderate cost), or acceptance of risk (rarely recommended).
• Provide timelines and expected impact windows for patching, reboots, and cluster restarts so leadership can weigh operational trade‑offs.

---

Longer‑term takeaways​

• Endpoint and cloud security must be considered as an integrated program—not separate silos. Attackers already operate across both vectors.
• Reduce reliance on legacy protocols and non‑essential OEM utilities to lower exploitable attack surface.
• Maintain a robust, documented emergency patch process that moves security fixes into production quickly while managing application compatibility through lightweight, automation‑first testing.
• Invest in detection and response capabilities, especially telemetry that spans on‑premise and cloud logs, to find and interrupt multi‑stage intrusions.

---

Conclusion​

The CERT‑In high‑severity alert is a timely reminder that widespread vendor patches do not eliminate risk until they are actively deployed and accompanied by effective detection, segmentation, and cloud governance. Microsoft has released fixes for the identified flaws, but the real world risk lies in lagging patch adoption, legacy services, and chained exploitation across browser, kernel, and cloud assets. Organisations should treat the advisory as an operational priority: inventory now, patch or implement compensating controls now, and hunt for suspicious activity immediately. Failure to act quickly risks ransomware, data theft, and prolonged incident response that could have been avoided with decisive patch and governance practices. (english.mathrubhumi.com, bleepingcomputer.com, nvd.nist.gov)

---

Source: News18 Indian Govt Issues High Security Alert For Microsoft Edge And Business Users