Security News > 2024 > January > Microsoft fixes critical flaws in Windows Kerberos, Hyper-V (CVE-2024-20674, CVE-2024-20700)
For January 2024 Patch Tuesday, Microsoft has released fixes for 49 CVE-numbered vulnerabilities, two of which are critical: CVE-2024-20674 and CVE-2024-20700.
CVE-2024-20674 is a security feature bypass vulnerability that may allow attackers to impersonate Windows' Kerberos server.
"An unauthenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server," Microsoft explains.
Though an attacker must first gain access to the restricted network before running an attack, Microsoft thinks that the likelihood of attackers exploiting this flaw is considerable and the complexity of attack is low, and has therefore urged admins to prioritize testing and deploying this patch.
Finally, Microsoft has fixed CVE-2024-20677, a vulnerability in Microsoft Office that could lead to remote code execution via FBX files.
"An attacker who successfully exploits this vulnerability could perform a remote attack that could enable access to the victim's information and the ability to alter information. Successful exploitation could also potentially cause downtime for the targeted environment," says Microsoft.
News URL
https://www.helpnetsecurity.com/2024/01/09/cve-2024-20674-cve-2024-20700/
Related news
- Microsoft lifts Windows 11 update block for some AutoCAD users (source)
- Microsoft replacing Remote Desktop app with Windows App in May (source)
- Microsoft: Recent Windows updates make USB printers print random text (source)
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Microsoft: March Windows updates mistakenly uninstall Copilot (source)
- Microsoft fixes Windows update bug that uninstalled Copilot (source)
- Microsoft lifts Windows 11 upgrade block after Asphalt 8 crash fix (source)
- Microsoft: Recent Windows updates cause Remote Desktop issues (source)
- Microsoft fixes printing issues caused by January Windows updates (source)
- Mozilla warns Windows users of critical Firefox sandbox escape flaw (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-09 | CVE-2024-20700 | Race Condition vulnerability in Microsoft products Windows Hyper-V Remote Code Execution Vulnerability | 0.0 |
| 2024-01-09 | CVE-2024-20677 | Unspecified vulnerability in Microsoft products A security vulnerability exists in FBX that could lead to remote code execution. | 0.0 |
| 2024-01-09 | CVE-2024-20674 | Authentication Bypass by Spoofing vulnerability in Microsoft products Windows Kerberos Security Feature Bypass Vulnerability | 0.0 |