Security News > 2024 > January > Microsoft fixes critical flaws in Windows Kerberos, Hyper-V (CVE-2024-20674, CVE-2024-20700)
For January 2024 Patch Tuesday, Microsoft has released fixes for 49 CVE-numbered vulnerabilities, two of which are critical: CVE-2024-20674 and CVE-2024-20700.
CVE-2024-20674 is a security feature bypass vulnerability that may allow attackers to impersonate Windows' Kerberos server.
"An unauthenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server," Microsoft explains.
Though an attacker must first gain access to the restricted network before running an attack, Microsoft thinks that the likelihood of attackers exploiting this flaw is considerable and the complexity of attack is low, and has therefore urged admins to prioritize testing and deploying this patch.
Finally, Microsoft has fixed CVE-2024-20677, a vulnerability in Microsoft Office that could lead to remote code execution via FBX files.
"An attacker who successfully exploits this vulnerability could perform a remote attack that could enable access to the victim's information and the ability to alter information. Successful exploitation could also potentially cause downtime for the targeted environment," says Microsoft.
News URL
https://www.helpnetsecurity.com/2024/01/09/cve-2024-20674-cve-2024-20700/
Related news
- Microsoft removes Assassin’s Creed Windows 11 upgrade blocks (source)
- Microsoft fixes Windows Server 2022 bug breaking device boot (source)
- Microsoft issues out-of-band fix for Windows Server 2022 NUMA glitch (source)
- Microsoft: January Windows security updates break audio playback (source)
- Microsoft lifts Windows 11 update block for PCs with gaming issues (source)
- Microsoft improves text contrast for all Windows Chromium browsers (source)
- Microsoft Will Remove the Free VPN That Comes With Windows Defender Soon (source)
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
- New Microsoft script updates Windows media with bootkit malware fixes (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-09 | CVE-2024-20700 | Race Condition vulnerability in Microsoft products Windows Hyper-V Remote Code Execution Vulnerability | 0.0 |
| 2024-01-09 | CVE-2024-20677 | Unspecified vulnerability in Microsoft products A security vulnerability exists in FBX that could lead to remote code execution. | 0.0 |
| 2024-01-09 | CVE-2024-20674 | Authentication Bypass by Spoofing vulnerability in Microsoft products Windows Kerberos Security Feature Bypass Vulnerability | 0.0 |