In this week’s TL;DR, we look at recent security updates from Google and Microsoft for Android and Outlook, respectively. These updates are in response to recent vulnerabilities and exploits identified in their platforms.
Google releases security update
Google has released an April 2025 security update for Android, which addresses 62 vulnerabilities, including two high-severity flaws that were actively exploited in the wild. The critical vulnerabilities are CVE-2024-53150, an out-of-bounds flaw in the USB sub-component of the kernel leading to information disclosure, and CVE-2024-53197, a privilege escalation flaw in the same component. Both vulnerabilities have a CVSS score of 7.8.
Google acknowledged that these issues were subject to “limited, targeted exploitation.” Notably, CVE-2024-53197, along with CVE-2024-53104 and CVE-2024-50302, were previously reported by Amnesty International to have been used to compromise a Serbian youth activist’s Android phone in December 2024. Google addressed CVE-2024-53104 in February 2025 and CVE-2024-50302 in March 2025. With the latest update, all three vulnerabilities have been patched, closing the exploit chain.
The update also fixes a critical security vulnerability in the System component that could lead to remote escalation of privilege without requiring additional execution privileges or user interaction. Google emphasized the severity of this issue in its monthly security bulletin for April 2025.
Google has not provided specific details on how CVE-2024-53150 has been exploited. However, users are advised to apply the updates promptly as they become available from their device manufacturers. While Google Pixel devices receive these updates immediately, other manufacturers may require time to deploy the fixes.
TL;DR Android security update:
In April 2025, Google released an Android security update fixing 62 issues. Including two actively exploited USB kernel flaws (CVE-2024-53150 and CVE-2024-53197) used in a targeted attack. The update also patches a critical System vulnerability allowing remote privilege escalation. With this release, a known exploit chain reported by Amnesty International is now fully addressed. Users are urged to install the update promptly, though rollout times may vary by device manufacturer.
New Microsoft Outlook sender rules
Microsoft is set to enforce new security requirements for high-volume email senders—those dispatching over 5,000 emails daily. Starting May 5, 2025, these senders must implement three authentication protocols: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). These protocols are designed to verify the legitimacy of a sender’s domain. The aim is to reduce spam and spoofing attacks that pose significant risks to users.
Initially, non-compliant messages from these high-volume senders will be directed to recipients’ Junk folders, providing senders an opportunity to address any issues. Future updates may lead to outright rejection of non-compliant emails to enhance user protection. These changes apply specifically to Outlook.com, which includes domains like hotmail.com, live.com, and outlook.com.
Beyond these mandatory protocols, Microsoft recommends additional email hygiene practices for high-volume senders to maintain quality and trust. These include using valid “From” or “Reply-To” addresses that reflect the true sending domain and can receive replies, providing clear and functional unsubscribe links, regularly removing invalid addresses to reduce spam complaints and bounces, and ensuring transparent mailing practices with accurate subject lines and recipient consent.
While these requirements initially target large-scale senders, Microsoft plans to announce an official rollout schedule for other senders at a later date. Senders are encouraged to adopt these protocols promptly to avoid potential disruptions and enhance overall email security.
TL;DR Outlook sender rules
Starting May 5, 2025, Microsoft will require high-volume email senders to use SPF, DKIM, and DMARC protocols to improve Outlook.com security. Non-compliant emails will go to Junk folders, with stricter enforcement to follow. Microsoft also recommends using valid sender addresses, unsubscribe links, and clean mailing lists. A broader rollout is planned, and early adoption is encouraged.
Conclusion
These updates by two of the largest organizations should serve as both a notification to keep up to date if you use these platforms, as well as showcase best practices – always updating your solutions and keeping your environment resilient against exploits. Get in touch to learn how ThinScale can help keep your endpoint environment secured against the latest threats.
