2024’s first Patch Tuesday steps lightly – Sophos News

• Data Disclosure: 12
• Distant Code Execution: 11
• Elevation of Privilege: 10
• Denial of Service: 6
• Safety Characteristic Bypass: 6
• Spoofing: 3

Determine 1: You’re studying the labels appropriately: Data-disclosure points outnumber each EoP and RCE bugs in January. Safety characteristic bypass points – considered one of them Essential-severity — additionally make a robust displaying

Merchandise

• Home windows: 38
• .NET: 5 (together with on shared with Visible Studio; one shared with Microsoft Identification Mannequin / NuGet and Visible Studio; and one shared with Azure, SQL Server, and Visible Studio)
• Visible Studio: 4 (together with one shared with .NET; one shared with .NET and Microsoft Identification Mannequin / NuGet; and one shared with .NET, Azure, and SQL Server)
• Azure: 2 (together with one shared with .NET, SQL Server, and Visible Studio)
• Microsoft Identification Mannequin / NuGet: 1 (shared with .NET and Visible Studio)
• Microsoft Printer Metadata Troubleshooter Software: 1
• Workplace: 1
• SharePoint: 1
• SQL Server: 1 (shared with .NET, Azure, and Visible Studio)

Determine 2: Home windows is closely represented on this month’s patches, however a number of less-familiar instruments and functions are additionally within the combine (full names proven in tables beneath)

Notable January updates

Along with the problems mentioned above, a couple of particular gadgets are price noting.

CVE-2024-0057 — .NET, .NET Framework, and Visible Studio Framework Safety Characteristic Bypass Vulnerability
CVE-2024-20674 — Home windows Kerberos Safety Characteristic Bypass Vulnerability

Of this pair of safety characteristic bypass points, Microsoft deems solely the Kerberos situation to be Essential-class. The CVSS scoring system begs to vary, for the reason that information to that scoring system requires that scorers think about possible worst-case situations when evaluating bugs in software program libraries. Their CVSS base scores are thus 9.1 and 9.0 respectively. In any case, admins are inspired to prioritize these two patches.

CVE-2024-20696 – Home windows Libarchive Distant Code Execution Vulnerability
CVE-2024-20697 – Home windows Libarchive Distant Code Execution Vulnerability

The knowledge accessible on these two identically named Essential-class RCEs is scant, however there’s a giant clue to their significance within the title: These two points have an effect on Libarchive, the engine for studying and writing in numerous compression and archive codecs.

CVE-2024-20666 – BitLocker Safety Characteristic Bypass Vulnerability

One other safety characteristic bypass, this time in a safety characteristic. This situation stands out for some pretty nuanced necessities round servicing the Protected OS; for many variations of Home windows 11 that is now a completely automated course of, and people counting on WSUS are routinely up to date, however these working in additional complicated environments are strongly inspired to verify Microsoft’s revealed steering for particular directions. In any case, the attacker requires bodily entry to the focused machine.

CVE-2024-21305 — Hypervisor-Protected Code Integrity (HVCI) Safety Characteristic Bypass Vulnerability

The CVE with the bottom CVSS base rating this month has one thing in widespread with the 2 highest-scoring CVEs: It’s one more safety characteristic bypass. This one, nonetheless, charges a mere 4.4 base rating and requires the attacker to have bodily entry to the focused machine and to have beforehand compromised admin credentials. It impacts an assortment of Home windows shopper and server variations and, for these nonetheless working that {hardware}, 15 variations of the Floor.

Sophos protections

As you’ll be able to each month, in case you don’t need to wait on your system to drag down Microsoft’s updates itself, you’ll be able to obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe instrument to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace package deal on your particular system’s structure and construct quantity.

Appendix A: Vulnerability Impression and Severity

This can be a record of January patches sorted by affect, then sub-sorted by severity. Every record is additional organized by CVE.

Data Disclosure (12 CVEs)

Distant Code Execution (11 CVEs)

Elevation of Privilege (10 CVEs)

Denial of Service (6 CVEs)

Safety Characteristic Bypass (6 CVEs)

Spoofing (3 CVEs)

Appendix B: Exploitability

This can be a record of the January CVEs judged by Microsoft to be extra prone to be exploited within the wild inside the first 30 days post-release. Every record is additional organized by CVE. No CVEs addressed within the January patch assortment are identified to be beneath lively exploit within the wild but.

 Appendix C: Merchandise Affected

This can be a record of December’s patches sorted by product household, then sub-sorted by severity. Every record is additional organized by CVE. Patches which are shared amongst a number of product households are listed a number of instances, as soon as for every product household.

Home windows (38 CVEs)

.NET (5 CVEs)

Visible Studio (4 CVEs)

Azure (2 CVEs)

Microsoft Identification Mannequin (1 CVE)

Microsoft Printer Metadata Troubleshooter Software (1 CVE)

Workplace (1 CVE)

SharePoint (1 CVE)

SQL Server (1 CVE)

Appendix D: Advisories and Different Merchandise

This can be a record of advisories and knowledge on different related CVEs within the December Microsoft launch, sorted by product.

Related to Edge / Chromium (4 CVEs)

Related to Home windows (third-party product) (one CVE)