As part of the January 2024 Patch Tuesday update, Microsoft has addressed a total of 48 security vulnerabilities in its software.
Of the 48 bugs, 2 bugs were rated Critical and 46 bugs were rated Important. There is no evidence that any issues were publicly known or actively exploited at the time of release, making it the second Patch Tuesday in a row without a zero-day vulnerability.
Nine security vulnerabilities have been addressed in the Chromium-based Edge browser in addition to fixes since the release of the December 2023 Patch Tuesday update. This also includes a fix for a zero-day vulnerability (CVE-2023-7024, CVSS score: 8.8), which Google says is actively exploited in the wild.
The most critical of the bugs fixed this month are as follows:
- CVE-2024-20674 (CVSS Rating: 9.0) – Windows Kerberos Security Feature Bypass Vulnerability
- CVE-2024-20700 (CVSS Rating: 7.5) – Windows Hyper-V Remote Code Execution Vulnerability
“Authentication functionality may be bypassed because this vulnerability allows impersonation,” Microsoft said in the advisory for CVE-2024-20674.
“An authenticated attacker could exploit this vulnerability via a Create-in-the-Middle Machine (MitM) attack or other local network deception techniques and then send a malicious Kerberos message to the client victim computer to trick itself into acting as a Kerberos authentication server device.”
However, the company noted that successfully exploiting the vulnerability would require an attacker to first gain access to a restricted network.security researcher de Wilmore 34 Credit is given for discovering and reporting the flaw.
CVE-2024-20700, on the other hand, requires neither authentication nor user interaction to achieve remote code execution, although winning the race condition is a prerequisite for launching the attack.
“It is unclear where exactly the attacker is located – on the LAN where the hypervisor is located, or on the virtual network created and managed by the hypervisor – or in what environment the remote code execution would occur,” said Chief Software Officer Adam Barnett. Rapid7 engineers told The Hacker News.
Other notable flaws include CVE-2024-20653 (CVSS score: 7.8), a privilege escalation flaw affecting the Common Logging File System (CLFS) driver, and CVE-2024-0056 (CVSS score: 8.7), which affects the security of the system. bypass). Data.SqlClient and Microsoft.Data.SqlClient.
“An attacker who successfully exploits this vulnerability could conduct a machine-in-the-middle (MitM) attack and decrypt, read, or modify TLS traffic between the client and server,” Raymond said.
Microsoft further pointed out that due to a security flaw that could lead to remote code execution (CVE-2024-20677, CVSS score: 7.8), it will disable Insert in Word, Excel, PowerPoint and Outlook in Windows by default Features of FBX files.
“3D models in Office documents previously inserted from FBX files will continue to work as expected unless the ‘Link to file’ option is selected when inserting,” Microsoft said in a separate warning. “GLB (Binary GL Transfer) format) is the recommended alternative 3D archive format for use in Office.”
It’s worth noting that after ZScaler discovered 117 security vulnerabilities in Microsoft 365 apps, Microsoft took similar steps to disable the SketchUp (SKP) file format in Office.
Software patches from other vendors
In addition to Microsoft, other vendors have released security updates over the past few weeks to fix multiple vulnerabilities, including:
1 Comment
Pingback: Microsoft’s January 2024 Windows Update patches 48 new vulnerabilities – Marshall Henri