In January 2024 [3] [5], Microsoft released its Patch Tuesday update [3] [5], which included a total of 49 fixes. This update addressed critical vulnerabilities in the Windows Kerberos authentication protocol and the Windows Hyper-V subsystem, among others.
Description
The first critical fix in the update addressed a security feature bypass vulnerability in the Windows Kerberos authentication protocol (CVE-2024-20674). This vulnerability allowed an unauthenticated attacker to perform a machine-in-the-middle attack and spoof a Kerberos server [2]. Microsoft rates the exploitability of this bug as high and expects to see public exploit code within 30 days [2].
The second critical fix addressed a remote code execution vulnerability in the Windows Hyper-V subsystem (CVE-2024-20700) [4]. This vulnerability does not require authentication or user interaction [2] [5], making it attractive to exploit writers [2]. Successful exploitation requires winning a race condition [2], although the exact method of code execution is not described [2].
In addition to these critical fixes, the update covered various Microsoft products, including NET [1] [3], Visual Studio [3], Azure Storage Mover [3], Microsoft Bluetooth Driver [3], Microsoft Devices [3] [4] [5], Microsoft Identity Services [3], Microsoft Office [3] [5], and Microsoft Office SharePoint [3]. It also addressed 46 important vulnerabilities, including remote code execution (RCE) and information disclosure vulnerabilities [3].
Conclusion
While the Patch Tuesday update provided important fixes for various vulnerabilities, it did not include a patch for a vulnerability called “Stranger Strings” (CVE-2022-35737) in SQLite [3]. This vulnerability was assigned by MITRE and patched in July 2022 [3]. It is crucial for users to be aware of this omission and take appropriate measures to mitigate the risk associated with this vulnerability.
References
[1] https://www.helpnetsecurity.com/2024/01/09/cve-2024-20674-cve-2024-20700/
[2] https://www.thezdi.com/blog/2024/1/9/the-january-2024-security-update-review
[3] https://www.tenable.com/blog/microsofts-january-2024-patch-tuesday-addresses-48-cves-cve-2024-20674
[4] https://redmondmag.com/articles/2024/01/10/microsoft-releases-49-fixes-for-first-patch-tuesday-of-2024.aspx
[5] https://thehackernews.com/2024/01/microsofts-january-2024-windows-update.html
