Microsoft’s January 2024 Windows Update Addresses 48 New Vulnerabilities

  • Home
  • Microsoft’s January 2024 Windows Update Addresses 48 New Vulnerabilities

Microsoft’s January 2024 Windows Update Addresses 48 New Vulnerabilities

In its latest Patch Tuesday updates for January 2024, Microsoft has diligently addressed a total of 48 security vulnerabilities across its software portfolio. Among these vulnerabilities, two are classified as Critical, while the remaining 46 are deemed Important in severity. Importantly, none of these issues have shown any evidence of being publicly known or actively exploited, marking the second consecutive Patch Tuesday without the presence of zero-day vulnerabilities.

Complementing these fixes are resolutions for nine security vulnerabilities identified in the Chromium-based Edge browser since the December 2023 Patch Tuesday updates. Notably, this includes a fix for a zero-day vulnerability (CVE-2023-7024, CVSS score: 8.8) acknowledged by Google to be actively exploited in the wild.

The most critical vulnerabilities addressed in this month’s updates are as follows:

  1. CVE-2024-20674 (CVSS score: 9.0) – Windows Kerberos Security Feature Bypass Vulnerability
  2. CVE-2024-20700 (CVSS score: 7.5) – Windows Hyper-V Remote Code Execution Vulnerability

Regarding CVE-2024-20674, Microsoft explained in an advisory that the authentication feature could be bypassed, allowing for impersonation. An authenticated attacker could exploit this vulnerability through a machine-in-the-middle (MitM) attack or other local network spoofing techniques, sending a malicious Kerberos message to the victim machine to pose as the Kerberos authentication server. However, successful exploitation necessitates an attacker gaining access to the restricted network. The flaw was discovered and reported by security researcher ldwilmore34.

As for CVE-2024-20700, it does not require authentication or user interaction for remote code execution, although a race condition must be won to stage the attack. The exact location of the attacker and the context of the remote code execution are not explicitly specified.

Other notable vulnerabilities include CVE-2024-20653 (CVSS score: 7.8), a privilege escalation flaw impacting the Common Log File System (CLFS) driver, and CVE-2024-0056 (CVSS score: 8.7), a security bypass affecting System.Data.SqlClient and Microsoft.Data.SqlClient.

Microsoft has taken additional measures, such as disabling the ability to insert FBX files in Word, Excel, PowerPoint, and Outlook by default due to a security flaw (CVE-2024-20677, CVSS score: 7.8) that could lead to remote code execution. Microsoft recommends using GLB (Binary GL Transmission Format) as the preferred substitute 3D file format for Office applications.

It’s noteworthy that Microsoft implemented a similar precaution last year by disabling the SketchUp (SKP) file format in Office following the discovery of 117 security flaws in Microsoft 365 applications by Zscaler.