Apple, Microsoft, and Google released critical security updates this month including 5 exploited zero-days, a wormable Apple bug and zero-click Android vulnerability. We’re reminded of the impact of a Ransomware attacks with 3 major British retailers affected leading to empty store shelves and M&S’s stock plummeting 7% ($700M value). Lastly, we learned of EDR products including Windows Defender, SentinelOne and CrowdStrike being easily circumvented by attackers through a built-in upgrade process.

Microsoft Windows:
This month Microsoft released patches for 72 vulnerabilities including 5 zero-day exploits under attack. This means timely patching of your Windows devices this month is critical.

Apple:
Apple patched a severe vulnerability impacting their Airplay technology that allows for the discovery and streaming of media content to network connected devices such as speakers. This means to exploit the vulnerability attackers just need to be on the same network as the victim. Until patched, users need to be careful of connecting to untrusted or guest wireless networks from all Apple devices (Computers, iPads, iPhones, etc.).

Google Android:
Google released a critical Android patch this month addressing an actively exploited vulnerability in one of it’s font rendering libraries. This vulnerability can easily be exploited by directing a victim to open a specially crafted website, PDF file, email attachment, etc.

Ransomware and the return of Scattered Spider:
Three major UK retailers have been impacted by Ransomware events including Harrods, Co-op and Marks & Spencer. The impact on these organizations is significant and the blame is being placed on the return of the hacking group Scattered Spider, the group behind the 2023 MGM hack. These events remind us of the importance of critical security controls and the very real impact of compromises on business value and viability.

EDR Easily bypassed:
We learned this month of several easily exploited bypass techniques used in the wild to evade the security of common EDR software including SentinelOne, CrowdStrike and MS Defender EDR. Both SentinelOne and CrowdStrike have provided fixes for the issue, while Microsoft has yet to provide a solution. On SentinelOne and CrowdStrike, the technique leverages the normal upgrade process which disables the protections temporarily while agents are updated. The attacker can initiate an upgrade to disable protection and launch their attack. For Windows Defender, attackers can pose as a legitimate alternative AV solution, which forces the protections of Defender to disable.

What do I need to do?
For our clients who subscribe to our security and management tools, your Windows and Apple computers should receive updates starting next week. Users should complete the installation of patches when prompted and not delay or defer them. We’ve already deployed SentinelOne updates early last week. Users should review and manually apply updates for their Apple and Google mobile devices.

Specifically, user should take the following actions:

• All Windows and Mac systems users should complete the installation of patches when prompted and not delay or defer them. Updates can be manual installed following the directions below:
  • Apple MacOS: https://support.apple.com/en-us/HT201541
  • Microsoft Windows: https://support.microsoft.com/en-us/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a
• Users should check for and install updates for all Apple IOS and Android devices.
  • Apple IOS: https://support.apple.com/guide/iphone/update-ios-iph3e504502/ios
  • Android: https://www.samsung.com/us/support/answer/ANS00077582/
• Business leaders should review their security posture and Incidence Response plans to ensure they’ve fully evaluated the risks of Ransomware and have a practiced plan in place that includes a crisis management component.

Additional Resource and Details:

• Microsoft Windows Security: https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2025-patch-tuesday-fixes-5-exploited-zero-days-72-flaws/
• Apple: https://www.bleepingcomputer.com/news/security/apple-airborne-flaws-can-lead-to-zero-click-airplay-rce-attacks/
• Google Android: https://www.bleepingcomputer.com/news/security/google-fixes-actively-exploited-freetype-flaw-on-android/
• Google Android: https://www.bleepingcomputer.com/news/security/facebook-discloses-freetype-2-flaw-exploited-in-attacks/
• Google Android: https://source.android.com/docs/security/bulletin/2025-05-01
• Ransomware: https://www.cybersecuritydive.com/news/uk-authorities-retail-risks-cyberattack/747128/
• Ransomware: https://www.cybersecuritydive.com/news/ms-hackers-customer-data-cyberattack/747956/
• Ransomware: https://www.bleepingcomputer.com/news/security/mands-says-customer-data-stolen-in-cyberattack-forces-password-resets/
• Scattered Spider: https://www.silentpush.com/blog/scattered-spider-2025/
• EDR: https://cybersecuritynews.com/defendnot-disables-windows-defender/
• EDR: https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone