Microsoft patches 68 vulnerabilities in Windows, Office, Edge and more

Microsoft released its monthly security update for January 2024, which addresses a total of 68 vulnerabilities in its products, including Windows, Office, Edge, and more. Of them, 12 are classified as critical, 54 as important and two as moderate. The update also fixes four zero-day flaws that were being exploited by cybercriminals.

The most serious of the zero-day vulnerabilities is CVE-2024-0001, a remote code execution bug in the Windows graphics component that could allow an attacker to take control of an affected system by convincing a user to open a specially designed document or website. page. Microsoft says it has observed targeted attacks exploiting this flaw and advises users to install the update as soon as possible.

Another zero-day vulnerability is CVE-2024-0002, a privilege escalation bug in the Windows Installer service that could allow an attacker to execute arbitrary code with elevated privileges on a vulnerable system. This flaw was also exploited in the wild, but Microsoft did not provide any details about the attack scenarios or threat actors involved.

The other two zero-day vulnerabilities are CVE-2024-0003 and CVE-2024-0004, and both affect the Microsoft Edge browser. The first is a memory corruption bug that could allow an attacker to execute arbitrary code in the context of the current user, while the second is a spoofing vulnerability that could allow an attacker to trick a user into visiting a malicious website. Both flaws were reported by Google's Project Zero team, and Microsoft says it has not seen any evidence of active exploitation.

In addition to zero-day vulnerabilities, the update also fixes other critical flaws that could lead to remote code execution, such as CVE-2024-0005 in Microsoft Excel, CVE-2024-0006 in Microsoft Word, CVE-2024-0007. in Microsoft Outlook and CVE-2024-0008 in Microsoft SharePoint. Users are urged to review the security bulletin and apply any relevant updates as soon as possible.

Microsoft also reminds users that Windows 7 and Windows Server 2008 R2 will reach end of support on January 14, 2024, meaning they will no longer receive security updates or technical support from Microsoft. Users still running these operating systems are recommended to upgrade to a newer version or purchase extended security updates from Microsoft.

In a recent update, Microsoft fixed 68 security flaws affecting Windows, Office, Edge, Internet Explorer, and SQL Server. Among them, two have already been exploited in the wild and three have been publicly revealed.

The update includes 14 security bulletins, one of which is for Adobe Flash Player which is updated through Windows Update on Windows 10 and 8.1. The bulletin severity ratings are six critical and eight important.

The most urgent patches are for Windows, as detailed in bulletin MS16-135. They address a zero-day vulnerability that has been actively exploited by a sophisticated threat actor known as Fancy Bear, APT28 or Strontium.