Microsoft 十月安全更新修補重大漏洞,請儘速更新並留意更新後可能發生的連線異常 Microsoft’s October security update fixes critical vulnerabilities. Please update promptly and be mindful of possible connection issues after the update.

2025 年 11 月 7 日
Featured image for “Microsoft 十月安全更新修補重大漏洞,請儘速更新並留意更新後可能發生的連線異常 Microsoft’s October security update fixes critical vulnerabilities. Please update promptly and be mindful of possible connection issues after the update.”

Microsoft 例行安全更新共修補 172 項漏洞,其中包含 8 項重大及 6 項零日漏洞。

本次更新中需特別注意以下兩項重點:

  • NET Core 重大漏洞(CVE-2025-55315)

影響範圍: ASP.NET Core 使用之 Kestrel Web Server。

風險說明: 此漏洞可能被利用進行 HTTP Request Smuggling 攻擊,攻擊者可藉此竊取使用者憑證、修改伺服器檔案或造成服務中斷。

受影響版本與建議措施:

  1. .NET 8 或更新版本: 透過 Microsoft Update 安裝更新後,請重新啟動應用程式或系統。
  2. .NET 2.3 系列: 更新至AspNet.Server.Kestrel.Core 2.3.6,並重新編譯與部署。
  3. 自包含(Single-file)應用:安裝更新後請重新編譯與部署。
  4. 補充說明: Microsoft 同步釋出 Visual Studio 2022、NET Core 2.3 / 8.0 / 9.0 等版本之安全修補。
  • Windows 更新後可能出現 localhost 連線異常

問題現象: 部分使用者於安裝更新後,出現 HTTP/2 localhost(127.0.0.1)連線中斷,或出現 ERR_CONNECTION_RESET、ERR_HTTP2_PROTOCOL_ERROR 錯誤。

影響範圍: Windows 11、Windows Server 2025(含 IIS、Visual Studio 偵錯及 SSMS Entra ID 認證等情境)。

原因說明: 問題與 HTTP.sys 元件更新錯誤有關。

建議措施: 建議持續關注 Microsoft 官方安全公告與更新資訊,待正式修補釋出後再行安裝。

另外,針對一般行政人員而言,若未在本機(localhost)運行網站或開發系統,本次 IIS / HTTP.sys 問題 幾乎不會造成影響,可安心安裝更新以確保系統安全。

 

Microsoft’s regular security update addresses a total of 172 vulnerabilities, including 8 critical and 6 zero-day vulnerabilities.

Please pay special attention to the following two key points in this update:

  • Critical ASP.NET Core vulnerability (CVE-2025-55315)

Scope of impact: Kestrel Web Server used by ASP.NET Core.

Risk description: This vulnerability can be exploited to carry out HTTP request smuggling attacks, allowing an attacker to steal user credentials, modify server files, or cause a service outage             (denial of service).

Affected versions and recommended actions:

  1. .NET 8 or later: After installing the update via Microsoft Update, please restart the application or system.
  2. .NET 2.3 series: Update to Microsoft.AspNet.Server.Kestrel.Core 2.3.6, then recompile and redeploy the application.
  3. Self-contained (single-file) applications: After installing the update, please recompile and redeploy.
  4. Additional information: Microsoft has also released security updates for Visual Studio 2022 and ASP.NET Core versions 2.3, 8.0, and 9.0.
  • Connection issues to localhost may occur after the Windows update.

Issue description: After installing the update, some users may experience HTTP/2 localhost (127.0.0.1) connection interruptions, or encounter errors such as ERR_CONNECTION_RESET               or ERR_HTTP2_PROTOCOL_ERROR.

Scope of impact: Windows 11 and Windows Server 2025, including scenarios involving IIS, Visual Studio debugging, and SSMS Entra ID authentication.

Cause: The issue is related to an error in the HTTP.sys component update.

Recommended action: We recommend monitoring Microsoft’s official security announcements, then updating information and installing updates only after the official fix is released.

Additionally, for general administrative users, if websites or development systems are not running locally (on localhost), the IIS/HTTP.sys issue is unlikely to have any impact. You can safely install the update to ensure system security.

上一篇 資安預警: 近期勒索軟體攻擊頻繁,請各位同仁定期備份資料。Cybersecurity Alert: Recent Ransomware Attacks are Increasing. All colleagues are advised to regularly back up data.
下一篇 轉知教育部「不迷小紅書,青春不迷途」宣導專區資訊,提醒師生注意App資安風險Please be informed of the Ministry of Education’s “Don’t Get Lost in Xiaohongshu, Stay Smart in Youth” awareness campaign, reminding teachers and students to be cautious of app-related cybersecurity risks.