In its latest Patch Tuesday release for January 2024, Microsoft has addressed 48 security vulnerabilities across its software portfolio. Of these, two vulnerabilities are categorized as Critical, while the remaining 46 are marked as Important. Notably, none of these vulnerabilities have been publicly disclosed or actively exploited, making this the second consecutive Patch Tuesday without any zero-day vulnerabilities.
Key Highlights of the Update
In addition to these patches, Microsoft has also resolved nine security issues in the Chromium-based Edge browser since the December 2023 updates. Among these fixes is a critical patch for a zero-day vulnerability (CVE-2023-7024, CVSS score: 8.8) that Google has confirmed was being actively exploited in the wild.
Critical Vulnerabilities Addressed
This month’s update includes fixes for some of the most severe vulnerabilities, including:
CVE-2024-20674 (CVSS score: 9.0) – Windows Kerberos Security Feature Bypass Vulnerability:** This vulnerability could allow an attacker to bypass authentication and impersonate another user. The attack could be executed through a man-in-the-middle (MitM) approach or local network spoofing, where the attacker sends a malicious Kerberos message to trick the victim’s machine into recognizing it as the Kerberos authentication server. However, the attack requires the attacker to have access to the targeted network. Security researcher ldwilmore34 discovered and reported this flaw.
VE-2024-20700 (CVSS score: 7.5) – Windows Hyper-V Remote Code Execution Vulnerability:** This flaw allows remote code execution without requiring authentication or user interaction. However, to exploit this vulnerability, the attacker must win a race condition, the specifics of which have not been detailed.
Additional Vulnerabilities of Note
Other significant vulnerabilities patched in this update include:
CVE-2024-20653 (CVSS score: 7.8):** A privilege escalation issue affecting the Common Log File System (CLFS) driver.
CVE-2024-0056 (CVSS score: 8.7):** A security bypass flaw impacting System.Data.SqlClient and Microsoft.Data.SqlClient.
Proactive Security Measures
In response to a separate security concern (CVE-2024-20677, CVSS score: 7.8), Microsoft has taken proactive steps by disabling the default ability to insert FBX files in Word, Excel, PowerPoint, and Outlook. This decision was made to prevent potential remote code execution attacks. Microsoft recommends using the GLB (Binary GL Transmission Format) as a safer alternative for 3D file formats in Office applications.
This precaution mirrors a similar action taken last year when Microsoft disabled the SketchUp (SKP) file format in Office after the discovery of 117 security vulnerabilities in Microsoft 365 applications by Zscaler.
Conclusion
With the January 2024 Patch Tuesday updates, Microsoft continues its commitment to enhancing the security of its software. By addressing these vulnerabilities and implementing preventive measures, the company is helping to safeguard users and organizations against potential threats.
