Microsoft has released 49 security updates on the first Patch Tuesday of 2024, addressing a range of vulnerabilities including two with a critical severity rating. This month's security roundup also includes vital updates from Adobe and SAP, along with a series of patches from Google targeting the Android platform.
Key Vulnerabilities Addressed by Microsoft
Central to Microsoft's January updates is CVE-2024-20674, a particularly severe security feature bypass vulnerability in Windows Kerberos with a 9.0 CVSS rating. Microsoft reports that an attacker could exploit this vulnerability through methods such as a machine-in-the-middle (MITM) attack, sending a malicious Kerberos message to impersonate the authentication server. While such an attack necessitates access to a restricted network, making exploitation more challenging, Microsoft has indicated a heightened likelihood of exploitation.
The second critical-rated update concerns CVE-2024-20700, a Windows Hyper-V hypervisor remote code execution bug with a 7.5 CVSS score. To exploit this flaw, an attacker would need network access and although considered less likely to be targeted, those in the cybersecurity field stress the importance of promptly applying this update due to the high privileges Hyper-V operates with on affected systems. In addition to the critical vulnerabilities, Microsoft's patch bundle covers four high-severity flaws within Chromium-based Microsoft Edge.
CVE | Title | Severity | CVSS | Public | Exploited | Type |
CVE-2024-20700 | Windows Hyper-V Remote Code Execution Vulnerability | Critical | 7.5 | No | No | RCE |
CVE-2024-20674 | Windows Kerberos Security Feature Bypass Vulnerability | Critical | 9 | No | No | SFB |
CVE-2024-0057 | .NET and Visual Studio Framework Security Feature Bypass Vulnerability | Important | 8.4 | No | No | SFB |
CVE-2024-20672 | .NET Core and Visual Studio Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2024-21312 | .NET Framework Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2024-21319 | Microsoft Identity Denial of Service Vulnerability | Important | 6.8 | No | No | DoS |
CVE-2024-20676 | Azure Storage Mover Remote Code Execution Vulnerability | Important | 8 | No | No | RCE |
CVE-2024-20666 | BitLocker Security Feature Bypass Vulnerability | Important | 6.6 | No | No | SFB |
CVE-2024-21305 | Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability | Important | 4.4 | No | No | SFB |
CVE-2024-20652 | Internet Explorer Security Feature Bypass Vulnerability | Important | 7.5 | No | No | SFB |
CVE-2024-20687 | Microsoft AllJoyn API Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2024-21306 | Microsoft Bluetooth Driver Spoofing Vulnerability | Important | 5.7 | No | No | Spoofing |
CVE-2024-20653 | Microsoft Common Log File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2024-20692 | Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability | Important | 5.7 | No | No | Info |
CVE-2024-20661 | Microsoft Message Queuing Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2024-20660 | Microsoft Message Queuing Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2024-20664 | Microsoft Message Queuing Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2024-21314 | Microsoft Message Queuing Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2024-20654 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8 | No | No | RCE |
CVE-2024-20677 | Microsoft Office Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2024-20655 | Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability | Important | 6.6 | No | No | RCE |
CVE-2024-21318 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2024-20658 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2024-0056 † | Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability | Important | 8.7 | No | No | SFB |
CVE-2022-35737 * | MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow | Important | 7.5 | No | No | RCE |
CVE-2024-21307 | Remote Desktop Client Remote Code Execution Vulnerability | Important | 7.5 | No | No | RCE |
CVE-2024-20656 | Visual Studio Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2024-20683 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2024-20686 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2024-21310 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2024-20694 | Windows CoreMessaging Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2024-21311 | Windows Cryptographic Services Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2024-20682 | Windows Cryptographic Services Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2024-20657 | Windows Group Policy Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2024-20699 | Windows Hyper-V Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
CVE-2024-20698 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2024-21309 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2024-20696 | Windows Libarchive Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2024-20697 | Windows Libarchive Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2024-20680 | Windows Message Queuing Client (MSMQC) Information Disclosure | Important | 6.5 | No | No | Info |
CVE-2024-20663 | Windows Message Queuing Client (MSMQC) Information Disclosure | Important | 6.5 | No | No | Info |
CVE-2024-20690 | Windows Nearby Sharing Spoofing Vulnerability | Important | 6.5 | No | No | Spoofing |
CVE-2024-20662 | Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability | Important | 4.9 | No | No | Info |
CVE-2024-21316 | Windows Server Key Distribution Service Security Feature Bypass | Important | 6.1 | No | No | SFB |
CVE-2024-20681 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2024-21313 | Windows TCP/IP Information Disclosure Vulnerability | Important | 5.3 | No | No | Info |
CVE-2024-20691 | Windows Themes Information Disclosure Vulnerability | Important | 4.7 | No | No | Info |
CVE-2024-21325 | Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2024-21320 | Windows Themes Spoofing Vulnerability | Important | 6.5 | No | No | Spoofing |
CVE-2024-0222 * | Chromium: CVE-2024-0222 Use after free in ANGLE | High | N/A | No | No | RCE |
CVE-2024-0223 * | Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE | High | N/A | No | No | RCE |
CVE-2024-0224 * | Chromium: CVE-2024-0224 Use after free in WebAudio | High | N/A | No | No | RCE |
CVE-2024-0225 * | Chromium: CVE-2024-0225 Use after free in WebGPU | High | N/A | No | No | RC |
Security Updates Across the Tech Landscape
On the software front, Adobe has deployed a single security update for Substance 3D Stager. This patch rectifies six vulnerabilities, all classified as “important” and addresses issues that could potentially lead to memory leaks and arbitrary code execution. None of these vulnerabilities were reportedly exploited prior to the release of the updates.
Shifting focus to enterprise solutions, SAP has delivered updates to fix 12 issues, with three tagged as HotNews Notes. A notable patch is directed at an escalation of privileges vulnerability in SAP Edge Integration Cell, as well as in certain applications developed with SAP's suite of development tools. In response, experts advise upgrading to the latest versions of affected libraries.
Cisco has rounded out its updates for privilege escalation vulnerabilities discovered in its Identity Services Engine (ISE) last September. While a patch has been issued for one of the CVEs, the company acknowledges that the other, CVE-2023-20193, remains without a fix. This particular vulnerability requires an authenticated administrator to exploit and is not enabled by default.
Lastly, Google's January Security Bulletin for Android resolves 59 vulnerabilities, with the most serious offering a path to local escalation of privilege. Fortunately, there is no evidence indicating that these vulnerabilities have been exploited in the wild.