Microsoft has released its Patch Tuesday updates for January 2024, addressing a total of 48 security flaws across its software. Among these vulnerabilities, two are categorized as Critical, while the remaining 46 are labeled as Important. Notably, there is no evidence of any publicly known or actively exploited zero-day vulnerabilities at the time of the release, marking the second consecutive Patch Tuesday without such issues. The updates also encompass fixes for nine security vulnerabilities in the Chromium-based Edge browser, including a resolution for a zero-day (CVE-2023-7024) actively exploited in the wild.
The most critical vulnerabilities addressed in this release include CVE-2024-20674, a Windows Kerberos Security Feature Bypass vulnerability, and CVE-2024-20700, a Windows Hyper-V Remote Code Execution vulnerability. The former could potentially allow impersonation through bypassing the authentication feature, requiring an attacker to gain access to the restricted network first. The latter, however, does not necessitate authentication or user interaction for remote code execution, but the attacker must succeed in a race condition to stage an attack. Additionally, other notable flaws include a privilege escalation issue affecting the Common Log File System (CLFS) driver (CVE-2024-20653) and a security bypass impacting System.Data.SqlClient and Microsoft.Data.SqlClient (CVE-2024-0056).
In a notable move, Microsoft has disabled the ability to insert FBX files in Word, Excel, PowerPoint, and Outlook by default due to a security flaw (CVE-2024-20677) that could lead to remote code execution. This precautionary measure is taken to enhance security, and Microsoft recommends using GLB (Binary GL Transmission Format) as the substitute 3D file format for use in Office. This action is reminiscent of a similar step taken last year when Microsoft disabled the SketchUp (SKP) file format in Office following the discovery of multiple security flaws by Zscaler.
