News
Microsoft Releases 49 Fixes for First Patch Tuesday of 2024
The good news is that this month does not feature any zero-day vulnerabilities (flaws that are either publicly known or being actively exploited). Further, the total 49 fixes across Microsoft's portfolio of products and services only contain two items identified as "critical," meaning leaving these unpatched could leave you vulnerable to future attacks.
The top item this month is bulletin CVE-2024-20674, a Windows Kerberos security feature bypass vulnerability that affects all currently supported versions of Windows OS and Windows Server. Along with being only one of two critical fixes this month, this also has the highest common vulnerabilities and exposures (CVE) rating of the month at 9 (on a 10-point scale).
According to Microsoft, attackers could leverage this hole by establishing a machine-in-the-middle (MITM) or spoofing attack to send a specially crafted Kerberos message to the authentication server. This could lead to a circumvention of built-in security authentication and lead to attackers gaining access through impersonation.
Even though exploitation is considered to be difficult, it's not impossible. And users should expect active attempts against unpatched systems to occur shortly, according to security expert Dustin Childs, of the Zero Day Initiative blog. "While this would certainly take some setting up, Microsoft does give the bug its highest exploitability index rating (1), which means they expect to see public exploit code within 30 days," wrote Childs. "Make sure to test and deploy this update quickly."
The second critical item that should be a high priority for IT is a remote code execution fix for Windows Hyper V (CVE-2024-20700). This item affects all versions of Windows 10, Windows 11, Windows Server 2019 and Windows Server 2022.
Although Microsoft has not disclosed much detail on this particular bulletin, it did say that pulling off successful attacks would be difficult, as it would require "an attacker to win a race condition." A race condition attack is an exploitation method where an attacker capitalizes on a timing discrepancy in a system's operations. This happens when a system concurrently processes multiple tasks without proper sequencing, allowing attackers to manipulate outcomes or access sensitive data.
The remaining 47 items released for January are all rated "important" and can be patched only after all appropriate testing has been concluded.
Finally, as part of the monthly rollup, Microsoft is including four security fixes (CVE-2024-0222, CVE-2024-0223, CVE-2024-0224, CVE-2024-0225) released by Google that affect the Chromium-based Edge browser.
The full list of this month's bulletins can be found here.