HomeWinBuzzer NewsMicrosoft and Adobe Patch Multiple Security Vulnerabilities in First Update of 2024

Microsoft and Adobe Patch Multiple Security Vulnerabilities in First Update of 2024

Microsoft's Patch Tuesday fixed 49 flaws, including critical Windows Kerberos (CVE-2024-20674) and Hyper-V bugs (CVE-2024-20700).

-

Microsoft has released 49 security updates on the first Patch Tuesday of 2024, addressing a range of vulnerabilities including two with a critical severity rating. This month's security roundup also includes vital updates from Adobe and SAP, along with a series of patches from Google targeting the Android platform.

Key Vulnerabilities Addressed by Microsoft

Central to Microsoft's January updates is CVE-2024-20674, a particularly severe security feature bypass vulnerability in Windows Kerberos with a 9.0 CVSS rating. Microsoft reports that an attacker could exploit this vulnerability through methods such as a machine-in-the-middle (MITM) attack, sending a malicious Kerberos message to impersonate the authentication server. While such an attack necessitates access to a restricted network, making exploitation more challenging, Microsoft has indicated a heightened likelihood of exploitation.

The second critical-rated update concerns CVE-2024-20700, a Windows Hyper-V hypervisor remote code execution bug with a 7.5 CVSS score. To exploit this flaw, an attacker would need network access and although considered less likely to be targeted, those in the field stress the importance of promptly applying this update due to the high privileges Hyper-V operates with on affected systems. In addition to the critical vulnerabilities, Microsoft's patch bundle covers four high-severity flaws within Chromium-based Microsoft Edge.

CVE Title Severity CVSS Public Exploited Type
CVE-2024-20700 Windows Hyper-V Remote Code Execution Vulnerability Critical 7.5 No No RCE
CVE-2024-20674 Windows Kerberos Security Feature Bypass Vulnerability Critical 9 No No SFB
CVE-2024-0057 .NET and Visual Studio Framework Security Feature Bypass Vulnerability Important 8.4 No No SFB
CVE-2024-20672 .NET Core and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21312 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21319 Microsoft Identity Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2024-20676 Azure Storage Mover Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-20666 BitLocker Security Feature Bypass Vulnerability Important 6.6 No No SFB
CVE-2024-21305 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2024-20652 Internet Explorer Security Feature Bypass Vulnerability Important 7.5 No No SFB
CVE-2024-20687 Microsoft AllJoyn API Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21306 Microsoft Bluetooth Driver Spoofing Vulnerability Important 5.7 No No Spoofing
CVE-2024-20653 Microsoft Common Log File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20692 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2024-20661 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-20660 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-20664 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-21314 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-20654 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-20677 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-20655 Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2024-21318 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-20658 Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-0056 † Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability Important 8.7 No No SFB
CVE-2022-35737 * MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow Important 7.5 No No RCE
CVE-2024-21307 Remote Desktop Client Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-20656 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20683 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20686 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21310 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20694 Windows CoreMessaging Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-21311 Windows Cryptographic Services Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-20682 Windows Cryptographic Services Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-20657 Windows Group Policy Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-20699 Windows Hyper-V Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-20698 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21309 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20696 Windows Libarchive Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2024-20697 Windows Libarchive Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2024-20680 Windows Message Queuing Client (MSMQC) Information Disclosure Important 6.5 No No Info
CVE-2024-20663 Windows Message Queuing Client (MSMQC) Information Disclosure Important 6.5 No No Info
CVE-2024-20690 Windows Nearby Sharing Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2024-20662 Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability Important 4.9 No No Info
CVE-2024-21316 Windows Server Key Distribution Service Security Feature Bypass Important 6.1 No No SFB
CVE-2024-20681 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21313 Windows TCP/IP Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2024-20691 Windows Themes Information Disclosure Vulnerability Important 4.7 No No Info
CVE-2024-21325 Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21320 Windows Themes Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2024-0222 * Chromium: CVE-2024-0222 Use after free in ANGLE High N/A No No RCE
CVE-2024-0223 * Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE High N/A No No RCE
CVE-2024-0224 * Chromium: CVE-2024-0224 Use after free in WebAudio High N/A No No RCE
CVE-2024-0225 * Chromium: CVE-2024-0225 Use after free in WebGPU High N/A No No RC

Security Updates Across the Tech Landscape

On the software front, Adobe has deployed a single security update for Substance 3D Stager. This patch rectifies six vulnerabilities, all classified as “important” and addresses issues that could potentially lead to memory leaks and arbitrary code execution. None of these vulnerabilities were reportedly exploited prior to the release of the updates.

Shifting focus to enterprise solutions, SAP has delivered updates to fix 12 issues, with three tagged as HotNews Notes. A notable patch is directed at an escalation of privileges vulnerability in SAP Edge Integration Cell, as well as in certain applications developed with SAP's suite of development tools. In response, experts advise upgrading to the latest versions of affected libraries.

Cisco has rounded out its updates for privilege escalation vulnerabilities discovered in its Identity Services Engine (ISE) last September. While a patch has been issued for one of the CVEs, the company acknowledges that the other, CVE-2023-20193, remains without a fix. This particular vulnerability requires an authenticated administrator to exploit and is not enabled by default.

Lastly, Google's January Security Bulletin for Android resolves 59 vulnerabilities, with the most serious offering a path to local escalation of privilege. Fortunately, there is no evidence indicating that these vulnerabilities have been exploited in the wild.

Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

Mastodon