kras99 - stock.adobe.com
After a relatively uneventful December Patch Tuesday, Microsoft rang in the new year with another small batch of fixes.
For January Patch Tuesday, Microsoft addressed 49 new vulnerabilities, updated seven older vulnerabilities and revised an advisory related to hardening Active Directory domain controllers. There were no zero-days or public disclosures for Microsoft products. Two vulnerabilities were rated critical, with the rest categorized as important. The low number of patches continued for the second month in a row after a light December of just 38 vulnerabilities.
The most pressing bug that administrators should prioritize is a Windows Kerberos security feature bypass vulnerability (CVE-2024-20674) rated critical with a CVSS rating of 9.0. The exploitability assessment is "exploitation more likely." This vulnerability affects both Windows desktop and server systems.
"The attacker could impersonate a user to establish a man-in-the-middle situation on a local network and use spoofing techniques to take advantage of this flaw," said Chris Goettl, vice president of product management for security products at Ivanti. "They can send a malicious Kerberos message to the client victim's machine to get in and then gain access to restricted systems."
Goettl noted that this vulnerability affects Windows Server 2008 and 2008 R2 systems. January Patch Tuesday marks the last fixes for these systems, which had been getting patches via Microsoft's Extended Security Update program since leaving extended support in January 2020.
Other security updates of note for January Patch Tuesday
- Microsoft SharePoint Server remote code execution vulnerability (CVE-2024-21318) rated important with a CVSS score of 8.8. An authenticated attacker on the network could run malicious code on the SharePoint server. Microsoft assessed this with an "exploitation more likely" due to the low technical barrier to trigger the exploit.
- Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider security feature bypass vulnerability (CVE-2024-0056) rated important with a CVSS classification of 8.7. The attacker could execute a man-in-the-middle attack to view or tamper with Transport Layer Security traffic between server and clients. The CVE notes provide detailed instructions for different scenarios to assist administrators in their remediation efforts.
- Microsoft Office remote code execution vulnerability (CVE-2024-20677) rated important with a 7.8 CVSS grade. Threat actors could execute remote code via an Office document with an FBX file. Microsoft's fix disabled the ability to insert 3D models in FBX format in Word, Excel, PowerPoint for Windows and Mac, and Outlook for Windows. The update prevents access to the FBX feature in Office 2019, Office 2021, Office LTSC for Mac 2021 and Microsoft 365 Apps for Enterprise.
No patches for Exchange Server 2019
Exchange Server 2019 left mainstream support and entered the extended support phase, which ends on Oct. 14, 2025. The email server software will continue to get security updates and time zone updates.
Although Exchange Server 2019 did not get a cumulative update for January Patch Tuesday, Microsoft plans to deliver two CUs for this product in 2024.
"CU14 is in its final stages of testing and validation and will be released as soon as that's finished. CU15 will be released later this year," the company wrote on its Exchange Team blog.
The end of mainstream support means Microsoft will no longer accept bug reports or design change requests.
Slight change to LDAP signing and LDAP binding advisory
Microsoft released another update to a security advisory related to hardening Active Directory that began more than four years ago.
Security advisory ADV190023 shares Microsoft's recommendations to enable Lightweight Directory Access Protocol channel binding and LDAP signing to prevent man-in-the-middle attacks on Active Directory domain controllers. Microsoft first published this advisory on Aug. 13, 2019.
LDAP is the protocol Active Directory uses for a number of functions, including user authentication and authorization. The default settings let clients interact with the domain controllers without enforcing LDAP channel binding and LDAP signing. Microsoft recommends changes that would require channel binding and signing to avoid elevation-of-privilege vulnerabilities.
The January Patch Tuesday update addressed a missing feature in Windows Server 2019 to let administrators audit clients that do not work with channel binding tokens.
Tom Walat is the site editor for TechTarget Editorial's Windows Server site, where he writes and edits articles by technology experts. Walat previously worked for a Boston-area newspaper in several roles, including news editor and editorial systems manager.