Microsoft's calm start to 2024: January Patch Tuesday addresses 49 bugs
None of them is currently under active exploitation or publicly disclosed
After a notably calm December Patch Tuesday, Microsoft has continued its streak of subdued security updates, welcoming the New Year with a modest batch of fixes in its latest release.
Microsoft's first Patch Tuesday update of 2024 includes fixes for 49 security vulnerabilities, including patches for two critical-rated vulnerabilities. The overall count excludes four Microsoft Edge flaws that were fixed earlier this month.
The extensive list of addressed vulnerabilities spans multiple Microsoft products, including Windows and Windows Components, Azure, .NET Framework and Visual Studio, Office and Office Components, SQL Server, and Windows Hyper-V.
The breakdown of the vulnerabilities is as follows:
• 12 remote code execution vulnerabilities
• 11 information disclosure vulnerabilities
• 10 elevation of privilege vulnerabilities
• 7 security feature bypass vulnerabilities
• 6 denial-of-service vulnerabilities
• 3 spoofing vulnerabilities
Crucially, Microsoft has assured users that none of the bugs addressed this month are currently under active exploitation or publicly disclosed.
The two critical vulnerabilities addressed were identified as a Windows Kerberos Security Feature Bypass (CVE-2024-20674) and an RCE affecting Hyper-V (CVE-2024-20700).
CVE-2024-20674 is security feature bypass bug in Windows Kerberos, receiving the highest CVSS severity rating of 9.0 out of 10.
This flaw, as explained by Microsoft, could be exploited by an unauthenticated attacker employing a machine-in-the-middle attack or other local network spoofing techniques. The attacker would then send a malicious Kerberos message to the victim's machine, masquerading as the Kerberos authentication server.
While the successful execution of an attack necessitates access to the network, cybersecurity experts suggest that the risk is significant enough to warrant swift action.
"CVE-2024-20674 is a critical vulnerability that undermines the authentication mechanisms in systems using Kerberos authentication," said Saeed Abbasi, product manager, vulnerability research at Qualys Threat Research Unit.
"It's not remotely exploitable over the internet but requires proximity to the internal network. Also, this breach can spread to areas not directly managed by the compromised system's security protocols. There is a high likelihood of active exploitation attempts in the near future."
"Beyond standard patching, consider enhancing network monitoring capabilities. Look for unusual patterns or anomalies in network traffic that could indicate a MITM attack or unauthorized Kerberos traffic," Abbasi added.
The second critical-rated vulnerability, CVE-2024-20700, is a 7.5-rated RCE bug in the Windows Hyper-V hypervisor.
Exploiting this flaw successfully requires an attacker to first gain access to the restricted network and win a race condition.
While listed as "exploitation less likely," the severity of the bug underscores the importance of prompt patching.
Another noteworthy vulnerability, tracked as CVE-2024-21318, is found in Microsoft SharePoint Server and is rated as important with a CVSS score of 8.8.
An authenticated attacker on the network could exploit this flaw to run malicious code on the SharePoint server.
Microsoft's assessment indicates "exploitation more likely" due to the relatively low technical barrier required to trigger the exploit.
Microsoft Office also faces a RCE bug (CVE-2024-20677), which is rated as important and assigned a CVSS score of 7.8. Threat actors could exploit this flaw by executing remote code through an Office document containing an FBX file.
To mitigate this risk, Microsoft's fix disables the ability to insert 3D models in FBX format in Word, Excel, PowerPoint for both Windows and Mac, and Outlook for Windows.