New year, new updates for security holes in Windows, Adobe, Android and more

Patch Tuesday Microsoft rang in the New Year with a relatively calm Patch Tuesday: Just 49 Windows security updates including fixes for two critical-rated bugs, plus four high-severity Chrome flaws in Microsoft Edge.

None of the January CVEs are under active exploit, according to Redmond. Of the two critical vulnerabilities, CVE-2024-20674 received the highest CVSS severity rating. It's a 9.0-out-of-10 rated security feature bypass bug in Windows Kerberos. 

"An unauthenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server," Microsoft explained. 

The good news is that before launching an attack, a criminal would first need to gain access to the network.  However, Redmond does list this CVE as "exploitation more likely," and it's not alone in this assumption.

As Zero Day Initiative's Dustin Childs notes, this "means they expect to see public exploit code within 30 days. Make sure to test and deploy this update quickly."

The second critical-rated update fixes CVE-2024-20700, a 7.5-rated remote code execution (RCE) bug in Windows Hyper-V hypervisor. Abusing this hole isn't easy: an attacker would need to be inside the network to exploit the issue and win a race condition. Details are otherwise scant.

While it's listed as exploitation less likely, because Hyper-V runs as the highest privileges in a machine, "it is worth thinking about patching," Ben McCarthy, lead cyber security engineer at Immersive Labs, told The Register.

Other than that the patch bundle isn't too bad, relatively speaking. There are four "high" rated flaws - all in Chromium - and the rest are set as "important."

Slow month for Adobe, too

Adobe released one security update for its Substance 3D Stager product that fixes six vulnerabilities, all rated "important," that could allow memory leaks and arbitrary code execution. Luckily, it doesn't appear that any of the CVEs have been exploited prior to the patch.

SAP pushes 12 patches

SAP issued 12 new and updated patches, including three HotNews Notes and four High Priority Notes. Two of the NotNews Notes are new, and all three received CVSS scores of 9.1.

One of the new HotNews Notes, #3413475, addresses an escalation of privileges vulnerability in SAP Edge Integration Cell due to CVE-2023-49583 and CVE-2023-50422. The other, #3412456, also fixes Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack, or SAP Web IDE for SAP HANA. 

• Apache OFBiz zero-day pummeled by exploit attempts after disclosure
• And that's a wrap for Babuk Tortilla ransomware as free decryptor released
• Ransomware payment ban: Wrong idea at the wrong time
• After injecting cancer hospital with ransomware, crims threaten to swat patients

These applications may also be affected by CVE-2023-49583, according to Thomas Fritsch, SAP security researcher at Onapsis. This is because "their dependencies might refer to vulnerable versions of the libraries @sap/approuter and @sap/xssec," Fritsch noted. "Therefore, note #3412456 recommends upgrading the dependencies of existing node.js applications to the newest versions of these libraries introduced with SAP Security Note #3411067."

Mixed bag for Cisco

Cisco released its final update for two privilege escalation CVEs in its Identity Services Engine (ISE) that were originally disclosed in September. The bugs are tracked as CVE-2023-20193 and CVE-2023-20194 and only the latter has a patch.

CVE-2023-20193, the one without a fix, is due to improper privilege management in the Embedded Service Router (ESR) of Cisco ISE. Exploiting this bug "could allow an authenticated, local attacker to read, write, or delete arbitrary files on the underlying operating system and escalate their privileges to root," according to the networking giant.

A couple things to note about this flaw: first, an attacker must have valid, administrator-level privileges on the affected devices to successfully pull off an attack. And second, the ERS is not enabled by default. Not a massive issue, then, but worth fixing if necessary. 

And Android

Google's January Security Bulletin for Android addresses 59 CVEs, but none of these appear to have been found and exploited by criminals prior to the patches.

The most severe of the bunch exists in the Framework components. Google says it would lead to local escalation of privilege with no additional execution privileges needed. ®