Today is Microsoft’s January 2024 Patch Tuesday, which includes security updates for a total of 49 flaws and 12 remote code execution vulnerabilities.
Only two vulnerabilities were classified as critical, with one being a Windows Kerberos Security Feature Bypass and the other a Hyper-V RCE.
The number of bugs in each vulnerability category is listed below:
- 10 Elevation of Privilege Vulnerabilities
- 7 Security Feature Bypass Vulnerabilities
- 12 Remote Code Execution Vulnerabilities
- 11 Information Disclosure Vulnerabilities
- 6 Denial of Service Vulnerabilities
- 3 Spoofing Vulnerabilities
The total count of 49 flaws does not include 4 Microsoft Edge flaws fixed on January 5th.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5034123 cumulative update.
This month’s interesting flaws
While there were no actively exploited or publicly disclosed vulnerabilities this month, some flaws are more interesting than others.
Microsoft fixes an Office Remote Code Execution Vulnerability tracked as CVE-2024-20677 that allows threat actors to create maliciously crafted Office documents with embedded FBX 3D model files to perform remote code execution.
“A security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac,” explains Microsoft security bulletin.
“Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365.”
“3D models in Office documents that were previously inserted from a FBX file will continue to work as expected unless the Link to File option was chosen at insert time.”
A critical Windows Kerberos bug tracked as CVE-2024-20674 was also fixed today, allowing an attacker to bypass the authentication feature.
“An unauthenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server,” reads a support bulletin.
Recent updates from other companies
Other vendors who released updates or advisories in January 2023 include:
The January 2024 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities in the January 2023 Patch Tuesday updates.
To access the full description of each vulnerability and the systems it affects, you can view the full report here.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| .NET and Visual Studio | CVE-2024-0057 | NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability | Important |
| .NET Core & Visual Studio | CVE-2024-20672 | .NET Core and Visual Studio Denial of Service Vulnerability | Important |
| .NET Framework | CVE-2024-21312 | .NET Framework Denial of Service Vulnerability | Important |
| Azure Storage Mover | CVE-2024-20676 | Azure Storage Mover Remote Code Execution Vulnerability | Important |
| Microsoft Bluetooth Driver | CVE-2024-21306 | Microsoft Bluetooth Driver Spoofing Vulnerability | Important |
| Microsoft Devices | CVE-2024-21325 | Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2024-0222 | Chromium: CVE-2024-0222 Use after free in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2024-0223 | Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2024-0224 | Chromium: CVE-2024-0224 Use after free in WebAudio | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2024-0225 | Chromium: CVE-2024-0225 Use after free in WebGPU | Unknown |
| Microsoft Identity Services | CVE-2024-21319 | Microsoft Identity Denial of service vulnerability | Important |
| Microsoft Office | CVE-2024-20677 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2024-21318 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Virtual Hard Drive | CVE-2024-20658 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability | Important |
| Remote Desktop Client | CVE-2024-21307 | Remote Desktop Client Remote Code Execution Vulnerability | Important |
| SQL Server | CVE-2024-0056 | Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability | Important |
| SQLite | CVE-2022-35737 | MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow | Important |
| Unified Extensible Firmware Interface | CVE-2024-21305 | Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability | Important |
| Visual Studio | CVE-2024-20656 | Visual Studio Elevation of Privilege Vulnerability | Important |
| Windows AllJoyn API | CVE-2024-20687 | Microsoft AllJoyn API Denial of Service Vulnerability | Important |
| Windows Authentication Methods | CVE-2024-20674 | Windows Kerberos Security Feature Bypass Vulnerability | Critical |
| Windows BitLocker | CVE-2024-20666 | BitLocker Security Feature Bypass Vulnerability | Important |
| Windows Cloud Files Mini Filter Driver | CVE-2024-21310 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important |
| Windows Collaborative Translation Framework | CVE-2024-20694 | Windows CoreMessaging Information Disclosure Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2024-20653 | Microsoft Common Log File System Elevation of Privilege Vulnerability | Important |
| Windows Cryptographic Services | CVE-2024-20682 | Windows Cryptographic Services Remote Code Execution Vulnerability | Important |
| Windows Cryptographic Services | CVE-2024-21311 | Windows Cryptographic Services Information Disclosure Vulnerability | Important |
| Windows Group Policy | CVE-2024-20657 | Windows Group Policy Elevation of Privilege Vulnerability | Important |
| Windows Hyper-V | CVE-2024-20699 | Windows Hyper-V Denial of Service Vulnerability | Important |
| Windows Hyper-V | CVE-2024-20700 | Windows Hyper-V Remote Code Execution Vulnerability | Critical |
| Windows Kernel | CVE-2024-20698 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel-Mode Drivers | CVE-2024-21309 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | Important |
| Windows Libarchive | CVE-2024-20697 | Windows Libarchive Remote Code Execution Vulnerability | Important |
| Windows Libarchive | CVE-2024-20696 | Windows Libarchive Remote Code Execution Vulnerability | Important |
| Windows Local Security Authority Subsystem Service (LSASS) | CVE-2024-20692 | Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability | Important |
| Windows Message Queuing | CVE-2024-20660 | Microsoft Message Queuing Information Disclosure Vulnerability | Important |
| Windows Message Queuing | CVE-2024-20664 | Microsoft Message Queuing Information Disclosure Vulnerability | Important |
| Windows Message Queuing | CVE-2024-20680 | Windows Message Queuing Client (MSMQC) Information Disclosure | Important |
| Windows Message Queuing | CVE-2024-20663 | Windows Message Queuing Client (MSMQC) Information Disclosure | Important |
| Windows Message Queuing | CVE-2024-21314 | Microsoft Message Queuing Information Disclosure Vulnerability | Important |
| Windows Message Queuing | CVE-2024-20661 | Microsoft Message Queuing Denial of Service Vulnerability | Important |
| Windows Nearby Sharing | CVE-2024-20690 | Windows Nearby Sharing Spoofing Vulnerability | Important |
| Windows ODBC Driver | CVE-2024-20654 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important |
| Windows Online Certificate Status Protocol (OCSP) SnapIn | CVE-2024-20662 | Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability | Important |
| Windows Online Certificate Status Protocol (OCSP) SnapIn | CVE-2024-20655 | Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability | Important |
| Windows Scripting | CVE-2024-20652 | Windows HTML Platforms Security Feature Bypass Vulnerability | Important |
| Windows Server Key Distribution Service | CVE-2024-21316 | Windows Server Key Distribution Service Security Feature Bypass | Important |
| Windows Subsystem for Linux | CVE-2024-20681 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important |
| Windows TCP/IP | CVE-2024-21313 | Windows TCP/IP Information Disclosure Vulnerability | Important |
| Windows Themes | CVE-2024-20691 | Windows Themes Information Disclosure Vulnerability | Important |
| Windows Themes | CVE-2024-21320 | Windows Themes Spoofing Vulnerability | Important |
| Windows Win32 Kernel Subsystem | CVE-2024-20686 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2024-20683 | Win32k Elevation of Privilege Vulnerability | Important |