Executive Summary
In the January 2024 Patch Tuesday, Microsoft released fixes for a total of 53 vulnerabilities. This includes 48 Microsoft CVEs and 5 non-Microsoft CVEs. Out of those 5 flaws, 4 of them are related to Chromium with CVSS scores of 8+, and 1 is related to SQLite with a CVSS score of 7+.
Notably, there are no known zero-day threats targeting any of the vulnerabilities addressed in this batch of patches.
For more details, you can refer to the Microsoft January 2024 Security Updates.
We advise organisations to prioritise the installation of Microsoft’s January 2024 patches by adopting a risk-based approach. Below is a summary of the vulnerabilities with a CVSS score of 8+ that Microsoft addressed in this release.
As a side note, you can explore the key highlights for Microsoft Patch Tuesday in December 2023 here.
.NET and Visual Studio
- Name: NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability
- CVSS Score: 9.1
Windows
- Name: Windows Kerberos Security Feature Bypass Vulnerability
- CVSS Score: 9.0
- Name: Microsoft ODBC Driver Remote Code Execution Vulnerability
- CVSS Score: 8.0
Microsoft Office
- Name: Microsoft SharePoint Server Remote Code Execution Vulnerability
- CVSS Score: 8.8
SQL Server
- Name: Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
- CVSS Score: 8.7
Azure
- Name: Azure Storage Mover Remote Code Execution Vulnerability
- CVSS Score: 8.0
Microsoft Edge
In this release, Microsoft fixed 4 vulnerabilities related to Chromium that Google had addressed earlier. All of them have a CVSS of 8.8.
It is worth mentioning that Microsoft addressed critical vulnerabilities related to Chromium between the December and January releases. One of those, identified as CVE-2023-7024 and with a CVSS score of 8.8, has been exploited in the wild. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) recently added it to its Known Exploited Vulnerabilities (KEV) Catalog.