Microsoft is addressing 49 vulnerabilities this January 2024 Patch Tuesday, including a single critical remote code execution vulnerability. Four browser vulnerabilities were published separately this month, and are not included in the total. No zero-day vulnerabilities are published or patched today.
Hyper-V: critical remote code execution
CVE-2024-20700 describes a remote code execution vulnerability in the Windows Hyper-V hardware virtualization service. Microsoft ranks this vulnerability as critical under its own proprietary severity scale. However, the CVSS 3.1 base score of 7.5 equates only to high severity, reflecting the high attack complexity — attackers must win a race condition — and the requirement for the attack to be launched from the restricted network. The advisory is light on detail, so it isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur. However, since Microsoft ranks the vulnerability as more severe than the CVSS score would suggest, defenders should assume that exploitation is possible from the same subnet as the hypervisor, and that code execution will occur in a SYSTEM context on the Hyper-V host.
FBX 3D models in Office: arbitrary code execution
A patch for Microsoft Office disables the ability to insert 3D models from FBX (Filmbox) files into Office documents to guard against exploitation of CVE-2024-20677, which Microsoft describes as an arbitrary code execution. Exploitation would involve an Office user interacting with a malicious FBX file, and could lead to information disclosure or downtime. Models alr ..
Support the originator by clicking the read the rest link below.
