Microsoft released its monthly security update for January 2024, which addresses a total of 68 vulnerabilities in its products, including Windows, Office, Edge and more. Of those, 12 are rated critical, 54 are rated important and two are rated moderate. The update also fixes four zero-day flaws that were being exploited by cybercriminals.
The most serious of the zero-day vulnerabilities is CVE-2024-0001, a remote code execution bug in the Windows graphics component that could allow an attacker to take control of an affected system by convincing a user to open a specially crafted document or website. page. Microsoft says it has observed targeted attacks exploiting this flaw and advises users to install the update as soon as possible.
Another zero-day vulnerability is CVE-2024-0002, a privilege escalation flaw in the Windows Installer service that could allow an attacker to execute arbitrary code with elevated privileges on a vulnerable system. This flaw was also exploited in the wild, but Microsoft did not provide any details on the attack scenarios or threat actors involved.
The other two zero-day vulnerabilities are CVE-2024-0003 and CVE-2024-0004, and both affect the Microsoft Edge browser. The first is a memory corruption bug that could allow an attacker to execute arbitrary code in the context of the current user, while the second is a spoofing vulnerability that could allow an attacker to trick a user into visiting a malicious website. Both flaws were reported by Google’s Project Zero team, and Microsoft says it has not seen any evidence of active exploitation.
In addition to the zero-day vulnerabilities, the update also fixes other critical flaws that could lead to remote code execution, such as CVE-2024-0005 in Microsoft Excel, CVE-2024-0006 in Microsoft Word, CVE-2024-0007. in Microsoft Outlook and CVE-2024-0008 in Microsoft SharePoint. Users are urged to review the security bulletin and apply the relevant updates as soon as possible.
Microsoft also reminds users that Windows 7 and Windows Server 2008 R2 will reach end of support on January 14, 2024, which means they will no longer receive security updates and support from Microsoft. Users still running these operating systems are encouraged to upgrade to a newer version or purchase extended security updates from Microsoft.
In a recent update, Microsoft fixed 68 security flaws affecting Windows, Office, Edge, Internet Explorer and SQL Server. Among them, two have already been exploited in the wild and three have been publicly disclosed.
The update includes 14 security bulletins, one of which is for Adobe Flash Player which is updated via Windows Update on Windows 10 and 8.1. The severity classifications of the bulletins are six critical and eight important.
The most urgent patches are for Windows, as detailed in bulletin MS16-135. They address a zero-day vulnerability that has been actively exploited by a sophisticated threat actor known as Fancy Bear, APT28 or Strontium.