Microsoft has addressed a total of 48 security flaws spanning its software as part of its Patch Tuesday updates for January 2024.
Of the 48 bugs, two are rated Critical and 46 are rated Important in severity. There is no evidence that any of the issues are publicly known or under active attack at the time of release, making it the second consecutive Patch Tuesday with no zero-days.
The fixes are in addition to nine security vulnerabilities that have been resolved in the Chromium-based Edge browser since the release of December 2023 Patch Tuesday updates. This also includes a fix for a zero-day (CVE-2023-7024, CVSS score: 8.8) that Google said has been actively exploited in the wild.
The most critical among the flaws patched this month are as follows –
- CVE-2024-20674 (CVSS score: 9.0) – Windows Kerberos Security Feature Bypass Vulnerability
- CVE-2024-20700 (CVSS score: 7.5) – Windows Hyper-V Remote Code Execution Vulnerability
“The authentication feature could be bypassed as this vulnerability allows impersonation,” Microsoft said in an advisory for CVE-2024-20674.
“An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MitM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server.”
However, the company noted that successful exploitation requires an attacker to gain access to the restricted network first. Security researcher ldwilmore34 has been credited with discovering and reporting the flaw.
CVE-2024-20700, on the other hand, neither requires authentication nor user interaction to achieve remote code execution, although winning a race condition is a prerequisite to staging an attack.
“It isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur,” Adam Barnett, lead software engineer at Rapid7, told The Hacker News.
Other notable flaws include CVE-2024-20653 (CVSS score: 7.8), a privilege escalation flaw impacting the Common Log File System (CLFS) driver, and CVE-2024-0056 (CVSS score: 8.7), a security bypass affecting System.Data.SqlClient and Microsoft.Data.SqlClient.
“An attacker who successfully exploited this vulnerability could carry out a machine-in-the-middle (MitM) attack and could decrypt and read or modify TLS traffic between the client and server,” Redmond said about CVE-2024-0056.
Microsoft further noted that it’s disabling the ability to insert FBX files in Word, Excel, PowerPoint, and Outlook in Windows by default due to a security flaw (CVE-2024-20677, CVSS score: 7.8) that could lead to remote code execution.
“3D models in Office documents that were previously inserted from an FBX file will continue to work as expected unless the ‘Link to File’ option was chosen at the insert time,” Microsoft said in a separate alert. “GLB (Binary GL Transmission Format) is the recommended substitute 3D file format for use in Office.”
It’s worth noting that Microsoft took a similar step of disabling the SketchUp (SKP) file format in Office last year following Zscaler’s discovery of 117 security flaws in Microsoft 365 applications.
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including –