Get patching! Wormable Windows flaw headlines Patch Tuesday

Patch now! First patch Tuesday of 2024 is here

Microsoft’s patch Tuesday roundup looks like a relatively quiet one. Unless your organization uses FBX files.

Microsoft has issued patches for 48 security vulnerabilities in the first Patch Tuesday of 2024. With a relatively low number of patches—and only two of them critical—this makes it a relatively quiet month, which is certainly not the norm in January.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE IDs for the two critical vulnerabilities are:

CVE-2024-20674 is a Windows Kerberos security feature bypass vulnerability with a CVSS score of 9.0 out of 10. An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server.

Kerberos is an authentication protocol that is used to verify the identity of a user or host. To make use of this vulnerability the attacker will need to gain access to the restricted network before being able to run an attack. Nevertheless Microsoft thinks exploitation is “more likely,” which means the vulnerability could be exploited as part of an attack chain.

CVE-2024-20700 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 7.5 out of 10. Successful exploitation of this vulnerability might be hard because it requires an attacker to win a race condition and they will need to first gain access to the restricted network before running an attack.

Hyper-V is the Windows hardware virtualization service. It enables users to create and run a software version of a computer, called a virtual machine. Sometimes these virtual machines are attractive targets for cybercriminals. But the advisory is not very clear on the exact circumstances or context that would allow the RCE.

One other vulnerability, classified as important, that might turn out to be of interest, at least for some users, is:

CVE-2024-20677 is a Microsoft Office Remote Code Execution (RCE) vulnerability with a CVSS score of 7.8 out of 10. The security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365.

FBX files are a type of 3D model file created using the Autodesk FBX software. When you try to insert an FBX file into Word, Excel, PowerPoint, and Outlook, you will see the following error: “An error occurred while importing this file.” If you’d like to re-enable this ability, you can find the reasons why you shouldn’t and the method how to do it on this Microsoft Support page.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.