This week marked the arrival of first monthly scheduled updates from Microsoft for the year 2024. With January Patch Tuesday update bundle, Microsoft addressed 49 different vulnerabilities, including two critical severity issues.
First Patch Tuesday Arrives From Microsoft For January 2024
The first update bundle for the year 2024 is a rather modest one, addressing 49 vulnerabilities only. Yet, it includes some significant security patches for users’ systems globally.
The most noteworthy mentions with January Patch Tuesday include two critical bug fixes. These include,
- CVE-2024-20674 (CVSS 9.0): A security feature bypass affecting Windows Kerberos that allowed impersonation to an unauthenticated MiTM attacker. Exploiting the flaw merely required local network spoofing or MiTM attack and sending a maliciously crafted Kerberos message to the target machine.
- CVE-2024-20700 (CVSS 7.8): A remote code execution vulnerability affecting Windows Hyper-V. Despite being an RCE, the vulnerability received a lesser severity score, presumably due to the requirements necessary to exploit the flaw. Microsoft stated in its advisory that exploiting this vulnerability required the attacker to gain access to the restricted network and win a race condition.
Another important mention that marginally escaped the critical severity category is CVE-2024-21318 (CVSS 8.8). The Redmond giant described it as an important severity remote code execution vulnerability affecting the Microsoft SharePoint Server. An authenticated attacker with Site Owner privileges could exploit the flaw to inject and execute arbitrary codes in the context of SharePoint Server.
Alongside these three and the other 46 important-severity vulnerabilities, this month’s update bundle also included four Chromium bug fixes. As described, all of these were remote code execution flaws that attained a high-severity rating. While not belonging to Microsoft, the tech giant still included these patches in its Patch Tuesday updates to ensure prompt patching for user devices.
Although the updates would reach all eligible systems automatically, users should still manually check their devices for the updates to receive the fixes in time.
Let us know your thoughts in the comments.