Watch the Webinar Recording

Webinar Hosts

Patch Tuesday Support Group Webinar Recap

Patch Tuesday January News

Exchange Server 2013 OWA — The ticking time bomb of Microsoft Exchange Server 2013 | by Kevin Beaumont | Dec, 2023 | DoublePulsar

Bitwarden Heist – How to break into password vaults without using passwords — RedTeam Pentesting – Blog – Bitwarden Heist – How to Break Into Password Vaults Without Using Passwords (redteam-pentesting.de)

U.S. Water Utitlies Hacked with default password of 1111 — Officials: U.S. water utilities hacked after leaving passwords set to (fastcompany.com)

Ivanti Endpoint Privilege Manager (EPM) SQL Injection Vulnerability — Ivanti warns of critical vulnerability in its popular line of endpoint protection software | Ars Technica

WinRE Updates will Fail on Small Partitions — CVE-2024-20666 – Security Update Guide – Microsoft – BitLocker Security Feature Bypass Vulnerability

What’s new in Intune — What’s new in Microsoft Intune | Microsoft Learn

RSOP for Intune — RSOP for Intune. Final solution! (doitpsway.com)

EU Users will get prompted for SSO on latest Win10/11 Builds — Upcoming changes to Windows Single Sign-On | Windows IT Pro (microsoft.com)

HPE to Acquire Juniper Networks — HPE to Acquire Juniper Networks to Accelerate AI-Driven Innovation | Business Wire

VMware ends Perptual license and Maintenance Plans — VMware by Broadcom Dramatically Simplifies Offer Lineup and Licensing Model – VMware News and Stories

Microsoft Deprecates Windows Mixed Reality — Deprecated features in the Windows client – What’s new in Windows | Microsoft Learn

MS Adds new Copilot Key to MS Keyboards — Introducing a new Copilot key to kick off the year of AI-powered Windows PCs | Windows Experience Blog

Microsoft Patches of Note

View the full list of Patch Tuesday release notes at Patch Tuesday Blog Home Page – Patch Tuesday Blog

Updates Released: 102
Critical Severity: 46
Important Severity: 51
Moderate Severity: 5

Third Party Updates from Patch My PC

Total Number of Updates: 1920
Total Number of CVES: 224
Critical: 37
Moderate: 1570
Low: 8

Browser Patch Specifics
Chrome: 15 Patches
FireFox: 180 Patches
Microsoft Edge: 15 Patches
Opera: 10 Patches

Insight into CVEs

Critical CVEs: 50
Important CVEs: 1163

CVE breakdown
143 Denial of Service
199 Elevation of Priviledge
361 Information Disclosure
178 Remote Code Executions
273 Security Feature Bypass
59 Sproofing

BitLocker Security Feature Bypass Vulnerability — CVE-2024-20666  Score 6.6 Must be done in person/physically, exploitation less likely. A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access that also knows the TPM PIN (if the user is protected by the BitLocker TPM+PIN) could exploit this vulnerability to gain access to encrypted data. Depending on the version of Windows you are running, you may need to take additional steps to update Windows Recovery Environment (WinRE) to be protected from this vulnerability. To check whether your update will apply automatically or if you need to do additional steps, please refer to Window’s instruction here: CVE-2024-20666 – Security Update Guide – Microsoft – BitLocker Security Feature Bypass Vulnerability. 

NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability — CVE-2024-0057 Score 9.1 Network based attack, exploitation less likely. An attacker could exploit this by creating a specially crafted X.509 certificate that intentionally induces a chain building failure. The framework will correctly report that X.509 chain building failed, but it will return an incorrect reason code for the failure. Applications which utilize this reason code to make their own chain building trust decisions may inadvertently treat this scenario as a successful chain build, which would allow an adversary to subvert the app’s typical authentication logic. NOTE: this is scored high based on the worst-case scenario of a .NET framework exploit. Although it may not be critical in your environment, we recommend patching as soon as possible.