Microsoft fixed a total of 48 defects Of safety affecting its software as part of the January 2024 Patch Tuesday updates.
Of the 48 bugs, two are classified as Critical and 46 as Important by severity; fortunately there is no evidence that any of the issues are publicly known or under active attack at the time of release, making it the second consecutive Patch Tuesday without a zero-day.
What are these two critical vulnerabilities fixed by Microsoft
The fixes are added to nine security vulnerabilities Fixed in the Chromium-based Edge browser since the release of Patch Tuesday updates December 2023; this also includes a fix for a zero-day (CVE-2023-7024CVSS score: 8.8) which Google said was actively exploited in the real world.
The most critical defects fixed this month are the following:
- CVE-2024-20674 (CVSS score: 9.0) – Bypass vulnerability of Windows Kerberos security
- CVE-2024-20700 (CVSS score: 7.5) – Remote execution vulnerability of the Windows Hyper-V code
“The authentication function could be bypassed as this vulnerability allows exploitation [della falla]” Microsoft said in an advisory for CVE-2024-20674. “An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MitM) attack or another local network spoofing technique, then send a malicious Kerberos message to the victim machine client to pretend to be the Kerberos authentication server.”
However, the company noted that the successful exploit requires an attacker to first gain access to the restricted network; the cybersecurity researcher ldwilmore34 And was credited for discovering and reporting the flaw.
On the other hand, CVE-2024-20700 requires neither authentication nor user interaction to achieve remote code executionalthough winning a race condition is a prerequisite for orchestrating an attack.
“It is not clear exactly where the attacker should be – in the LAN where Hyper-V resides, or in a virtual network created and managed by the hypervisor – or in what context remote code execution would occur” said Adam Barnett, principal software engineer at Rapid7.
Other notable flaws include CVE-2024-20653 (CVSS score: 7.8), an elevation of privilege flaw affecting the Common Log File System (CLFS) driver, and CVE-2024-0056 (CVSS score: 8.7), a security bypass affecting System.Data.SqlClient and Microsoft.Data.SqlClient.
“An attacker who successfully exploits this vulnerability could conduct a machine-in-the-middle (MitM) attack could decrypt and read or modify TLS traffic between the client and the server” Redmond said regarding CVE-2024-0056.
Microsoft also disclosed that it disables the ability to insert FBX files into Word, Excel, PowerPoint, and Outlook in Windows by default due to a security flaw (CVE-2024-20677CVSS score: 7.8) which could lead to remote execution of malicious code.
“3D models in Office documents previously inserted from an FBX file will continue to work as expected unless the 'Link to file' option was chosen upon insertion” Microsoft said in a separate notice. “GLB (Binary GL Transmission Format) is the recommended 3D file format for use in Office.”
It is important to note that Microsoft took a similar action of disabling the SketchUp (SKP) file format in Office last year following the discovery by Zscaler of 117 security flaws in Microsoft 365 applications.
Software patches from other vendors
In addition to Microsoft, Security updates have been released by other vendors in recent weeks to fix several vulnerabilitiesamong which:
#Microsoft #update #January #vulnerabilities #fixed
