Article Details

Microsoft January 2024 Patch Tuesday fixes 49 flaws, 12 RCE bugs. Today is Microsoft's January 2024 Patch Tuesday, which includes security updates for a total of 49 flaws and 12 remote code execution vulnerabilities. Only two vulnerabilities were classified as critical, with one being a Windows Kerberos Security Feature Bypass and the other a Hyper-V RCE.  The number of bugs in each vulnerability category is listed below: The total count of 49 flaws does not include 4 Microsoft Edge flaws fixed on January 5th. To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5034123 cumulative update. This month's interesting flaws While there were no actively exploited or publicly disclosed vulnerabilities this month, some flaws are more interesting than others. Microsoft fixes an Office Remote Code Execution Vulnerability tracked as CVE-2024-20677 that allows threat actors to create maliciously crafted Office documents with embedded FBX 3D model files to perform remote code execution. "A security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac," explains Microsoft security bulletin. "Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365." "3D models in Office documents that were previously inserted from a FBX file will continue to work as expected unless the Link to File option was chosen at insert time." A critical Windows Kerberos bug tracked as CVE-2024-20674 was also fixed today, allowing an attacker to bypass the authentication feature. "An unauthenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server," reads a support bulletin. Recent updates from other companies Other vendors who released updates or advisories in January 2023 include: The January 2024 Patch Tuesday Security Updates Below is the complete list of resolved vulnerabilities in the January 2023 Patch Tuesday updates. To access the full description of each vulnerability and the systems it affects, you can view the full report here.