Patch Tuesday May 2025: Apple beats Microsoft to the security patch festival and more. All the security update info you need for your small business this month. If you’re not sure what you should be patching or why, read Patch Primer for Small Business.

Apple Updates

Apple beat Microsoft to the patch festival by a day releasing security updates for all supported Mac OS and iThingys Monday May 12th. By supported Mac OS versions I mean Sequoia, Sonoma and Ventura. You can check your version by clicking on the Apple icon in the upper left hand corner of the screen and then click About this Mac.

For iPhone and iPad folks, you should now be running version 18.5 for iPhone XS and later, iPad 12 and later. More details on those security updates here. Apple also provided an updated for older iPads running 17.7 but have pulled the 17.7.7 update after login problems. More details about the rotten Apple iPad OS 17.7 update here.

Apple also patched security problems in the Safari browser, Apple Watch and TV OS.

Apple says there is no indication of active exploitation of any of the vulnerabilities patches this month however hackers now have had time to dissect the patches to actively exploit unpatched devices.

Adobe Updates

No updates for Adobe Acrobat or Reader this month. Security updates for most of the Creative Suite (Photoshop, InDesign, Illustrator, etc.). I expect Adobe will update Acrobat and Reader next month. Details on May Adobe security updates here.

Microsoft Updates

Microsoft released patches for 78 vulnerabilities affecting Windows 10, 11, supported Server versions and Microsoft Office. Hackers are exploiting five of these vulnerabilities now.

The Windows 11 updates eats up 4GB of disk space mainly for the privacy problem Recall feature. Recall is only available on Windows CoPilot enabled computers however. Long thread on various issues with the new version of Recall here.

WordPress Woes

A couple of weeks ago I got a call from a small business owner who was getting a warning from Norton about his web site being dangerous (his words) and one of his other services was getting blocked because his domain name was on a naughty list. All because his WordPress web site was hacked. And it got hacked because the WordPress OS wasn’t updated, and the theme wasn’t updated.

Think of your web site like an operating system with apps: it needs security updates. If you have a simple brochure web site (i.e. no e-commerce) it can be updated without fear of parts breaking.

And you can get antivirus for your web site. For example WordFence offers a free plugin and a Premium plugin for $149USD a year. To get them to clean up your web site costs $590USD. Another one to check out is Sucuri.

WordFence just released their annual report on WordPress security. Vulnerabilities and critical vulnerabilities went way up from 2023. The good news is that having security plugin/firewall, frequent patching and monitoring stops most of these.

Schedule time to patch your web site this month or hire someone to do it for you.

Patch Tuesday May 2025: an ounce of patching is cheaper than a pound of hacking.