Today is Microsoft’s January 2024 Patch Tuesday, which includes security updates for a total of 49 flaws and 12 remote code execution vulnerabilities.
Only two vulnerabilities were classified as critical, with one being a Windows Kerberos Security Feature Bypass and the other a Hyper-V RCE.
The number of bugs in each vulnerability category is listed below:
10 Elevation of Privilege Vulnerabilities
7 Security Feature Bypass Vulnerabilities
12 Remote Code Execution Vulnerabilities
11 Information Disclosure Vulnerabilities
6 Denial of Service Vulnerabilities
3 Spoofing Vulnerabilities
The total count of 49 flaws does not include 4 Microsoft Edge flaws fixed on January 5th.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5034123 cumulative update.
This month’s interesting flaws
While there were no actively exploited or publicly disclosed vulnerabilities this month, some flaws are more interesting than others.
Microsoft fixes an Office Remote Code Execution Vulnerability tracked as CVE-2024-20677 that allows threat actors to create maliciously crafted Office documents with embedded FBX 3D model files to perform remote code execution.
“A security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac,” explains Microsoft security bulletin.
“Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365.”
“3D models in Office documents that were previously inserted from a FBX file will continue to work as expected unless the Link to File option was chosen at insert time.”
A critical Windows Kerberos bug tracked as CVE-2024-20674 was also fixed today, allowing an attacker to bypass the authentication feature.
“An unauthenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server,” reads a support bulletin.
Recent updates from other companies
Other vendors who released updates or advisories in January 2023 include:
The January 2024 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities in the January 2023 Patch Tuesday updates.
To access the full description of each vulnerability and the systems it affects, you can view the full report here.
CVE ID
CVE Title
Severity
.NET and Visual Studio
CVE-2024-0057
NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability
Important
.NET Core & Visual Studio
CVE-2024-20672
.NET Core and Visual Studio Denial of Service Vulnerability
Important
.NET Framework
CVE-2024-21312
.NET Framework Denial of Service Vulnerability
Important
Azure Storage Mover
CVE-2024-20676
Azure Storage Mover Remote Code Execution Vulnerability
Important
Microsoft Bluetooth Driver
CVE-2024-21306
Microsoft Bluetooth Driver Spoofing Vulnerability
Important
Microsoft Devices
CVE-2024-21325
Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability
Important
Microsoft Edge (Chromium-based)
CVE-2024-0222
Chromium: CVE-2024-0222 Use after free in ANGLE
Unknown
Microsoft Edge (Chromium-based)
CVE-2024-0223
Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE
Unknown
Microsoft Edge (Chromium-based)
CVE-2024-0224
Chromium: CVE-2024-0224 Use after free in WebAudio
Unknown
Microsoft Edge (Chromium-based)
CVE-2024-0225
Chromium: CVE-2024-0225 Use after free in WebGPU
Unknown
Microsoft Identity Services
CVE-2024-21319
Microsoft Identity Denial of service vulnerability
Important
Microsoft Office
CVE-2024-20677
Microsoft Office Remote Code Execution Vulnerability
Important
Microsoft Office SharePoint
CVE-2024-21318
Microsoft SharePoint Server Remote Code Execution Vulnerability
Important
Microsoft Virtual Hard Drive
CVE-2024-20658
Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability
Important
Remote Desktop Client
CVE-2024-21307
Remote Desktop Client Remote Code Execution Vulnerability
Important
SQL Server
CVE-2024-0056
Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
Important
SQLite
CVE-2022-35737
MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow
Important
Unified Extensible Firmware Interface
CVE-2024-21305
Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability
Important
Visual Studio
CVE-2024-20656
Visual Studio Elevation of Privilege Vulnerability
Important
Windows AllJoyn API
CVE-2024-20687
Microsoft AllJoyn API Denial of Service Vulnerability
Important
Windows Authentication Methods
CVE-2024-20674
Windows Kerberos Security Feature Bypass Vulnerability
Critical
Windows BitLocker
CVE-2024-20666
BitLocker Security Feature Bypass Vulnerability
Important
Windows Cloud Files Mini Filter Driver
CVE-2024-21310
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Important
Windows Collaborative Translation Framework
CVE-2024-20694
Windows CoreMessaging Information Disclosure Vulnerability
Important
Windows Common Log File System Driver
CVE-2024-20653
Microsoft Common Log File System Elevation of Privilege Vulnerability
Important
Windows Cryptographic Services
CVE-2024-20682
Windows Cryptographic Services Remote Code Execution Vulnerability
Important
Windows Cryptographic Services
CVE-2024-21311
Windows Cryptographic Services Information Disclosure Vulnerability
Important
Windows Group Policy
CVE-2024-20657
Windows Group Policy Elevation of Privilege Vulnerability
Important
Windows Hyper-V
CVE-2024-20699
Windows Hyper-V Denial of Service Vulnerability
Important
Windows Hyper-V
CVE-2024-20700
Windows Hyper-V Remote Code Execution Vulnerability
Critical
Windows Kernel
CVE-2024-20698
Windows Kernel Elevation of Privilege Vulnerability
Important
Windows Kernel-Mode Drivers
CVE-2024-21309
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
Important
Windows Libarchive
CVE-2024-20697
Windows Libarchive Remote Code Execution Vulnerability
Important
Windows Libarchive
CVE-2024-20696
Windows Libarchive Remote Code Execution Vulnerability
Important
Windows Local Security Authority Subsystem Service (LSASS)
CVE-2024-20692
Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability
Important
Windows Message Queuing
CVE-2024-20660
Microsoft Message Queuing Information Disclosure Vulnerability
Important
Windows Message Queuing
CVE-2024-20664
Microsoft Message Queuing Information Disclosure Vulnerability
Important
Windows Message Queuing
CVE-2024-20680
Windows Message Queuing Client (MSMQC) Information Disclosure
Important
Windows Message Queuing
CVE-2024-20663
Windows Message Queuing Client (MSMQC) Information Disclosure
Important
Windows Message Queuing
CVE-2024-21314
Microsoft Message Queuing Information Disclosure Vulnerability
Important
Windows Message Queuing
CVE-2024-20661
Microsoft Message Queuing Denial of Service Vulnerability
Important
Windows Nearby Sharing
CVE-2024-20690
Windows Nearby Sharing Spoofing Vulnerability
Important
Windows ODBC Driver
CVE-2024-20654
Microsoft ODBC Driver Remote Code Execution Vulnerability
Important
Windows Online Certificate Status Protocol (OCSP) SnapIn
CVE-2024-20662
Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability
Important
Windows Online Certificate Status Protocol (OCSP) SnapIn
CVE-2024-20655
Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability
Important
Windows Scripting
CVE-2024-20652
Windows HTML Platforms Security Feature Bypass Vulnerability
Important
Windows Server Key Distribution Service
CVE-2024-21316
Windows Server Key Distribution Service Security Feature Bypass
Important
Windows Subsystem for Linux
CVE-2024-20681
Windows Subsystem for Linux Elevation of Privilege Vulnerability
Important
Windows TCP/IP
CVE-2024-21313
Windows TCP/IP Information Disclosure Vulnerability
Important
Windows Themes
CVE-2024-20691
Windows Themes Information Disclosure Vulnerability
Important
Windows Themes
CVE-2024-21320
Windows Themes Spoofing Vulnerability
Important
Windows Win32 Kernel Subsystem
CVE-2024-20686
Win32k Elevation of Privilege Vulnerability
Important
Windows Win32K
CVE-2024-20683
Win32k Elevation of Privilege Vulnerability
Important
