Soft fixed 48 vulnerabilities across its software in one fell swoop in its January 2024 monthly security update, marking the second consecutive month without a zero-day vulnerability for Patch Tuesday.
This update covers:
- Windows fixes 48 vulnerabilities, of which 2 are critical (9 points) and 46 are important (7.5 points), with no public evidence of exploitation at this time.
- Chromium kernel Edge browser fixes 9 vulnerabilities, including an exploited zero-day vulnerability disclosed by Google (CVE-2023-7024, 8.8 points).
The most critical vulnerabilities include:
- CVE-2024-20674 (9 points). Windows Kerberos security feature bypass vulnerability can be exploited to launch an attack by disguising an identity.
- CVE-2024-20700 (7.5 points). Windows Hyper-V Remote Code Execution Vulnerability that requires no user interaction or authentication, but requires winning a competitive condition.
Other notable vulnerabilities include:
- CVE-2024-20653 (7.8 points). Elevation of privilege vulnerability affecting the generic log file system driver.
- CVE-2024-0056 (8.7 points). Secure Bypass Vulnerability affecting System.Data.SqlClient and Microsoft.Data.SqlClient to intercept TLS traffic between the client and server.
Microsoft also disabled the ability to insert FBX files in Word, Excel, PowerPoint, and Outlook by default due to a security vulnerability (CVE-2024-20677, 7.8 points), recommending instead the GLB format.
Apart from Microsoft, other vendors have also released security updates recently such as Adobe, AMD, Android, Arm, ASUS, Bosch, Cisco, Dell, F5, Fortinet, Google Chrome, Google Cloud, HP, IBM, Intel, Lenovo, Linux distributions, MediaTek, NETGEAR, Qualcomm, Samsung, SAP, Schneider Electric, Siemens, Splunk, Synology, Trend Micro, Zimbra and Zoom.
refer to:
https://msrc.microsoft.com/update-guide/releaseNote/2024-Jan
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/microsoft-windows-update-patches-fixed-48-vulnerabilities-html