App Wednesday: Critical Zero-day for Chrome

Greg Lambert
January 24, 2024
4 minutes

App Wednesday January 2024

This monthly blog entry is aimed at mid-month Microsoft updates that includes patches, application updates, lifecycle changes and application related events. We will cover security issues that relate to applications and deployments as well. It’s intended as an informal update focusing on recent changes, and current outstanding bugs reports or zero-days.

Microsoft Quality Update

This C cycle release (the third release of the month) generally relates to optional “Quality” updates from Microsoft, and this January Microsoft has released the following updates to the Windows platform:

Expect all of these updates to the Microsoft .NET and desktop platform to be included in the February Patch Tuesday update cycle.

Lifecycle Update

This section covers some of the major changes that are happening in the Microsoft desktop and server ecosystem this month. The big change for the Windows platform this month is the (very) rapid deployment of co-pilot, the Microsoft AI chatbot. Copilot in Windows will start to roll out in preview to select global markets as part of the latest update to Windows 11. The initial markets for the Copilot in Windows preview include North America and parts of Asia and South America. Additional markets will be added over the next few months.

Patch Revisions

As the January patch cycle was very light for this year, we were expecting a few updates and revisions to existing patches. While there may be further updates this month, here is what Microsoft has updated since last Patch Tuesday:

  • CVE-2024-0056 : Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability. This patch was updated to include further information about the security table. No further action required.
  • CVE-2024-0057: .NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability. This patch was updated to include further information about the security table. No further action required.
  • CVE-2024-21312 : .NET Framework Denial of Service Vulnerability. Security related download information was updated for this Microsoft patch. No further action is required.

As Microsoft employs the Chrome browser in its Microsoft Edge browser, there was a fix published for CVE-2024-0519 to Microsoft Edge Stable Channel (Version 120.0.2210.144).

Vulnerability Update

Since last Patch Tuesday, The Chromium project has reported on an actively exploited zero-day for the Chrome browser. With 17 major security issues to resolve the Chrome “Stable” channel has been updated to 121.0.6167.85 for Mac and Linux and 121.0.6167.85/.86 to Windows which will roll out over the coming days/weeks. A full list of changes in this build is available in the log. We have included a list of the high severity changes for your reference:

  • 1505080 CVE-2024-0807: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-25.
  • 1484394 CVE-2024-0812: Inappropriate implementation in Accessibility. Reported by Anonymous on 2023-09-19.
  • 1504936 CVE-2024-0808: Integer underflow in WebUI. Reported by Lyra Rebane (rebane2001) on 2023-11-24.

And a shout out to the security tools which were instrumental in identifying these issues: AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Next release of Windows

Here is a nice (i.e short and accurate) review of what is expected in Windows 11 23H2. We will cover this in more detail in the next posting but here are the list issues and bugs already addressed and ready for testing by Microsoft:

  • Resolves an issue that stops search from working on the Start menu for some users. The issue occurs because of a deadlock.
  • Addresses an issue to make video calls more reliable.
  • Fixes an issue that causes your device to stop responding. This is intermittent and occurs after you install a print support app.
  • Addresses an issue that makes the troubleshooting process fail. This occurs when you use the Get Help app.
  • Resolves an issue that affects the File Explorer Gallery. It stops you from closing a tooltip.
  • Addresses an issue that affects Bluetooth Low Energy (LE) Audio earbuds. They lose sound when you stream music.
  • Fixes an issue that affects a Bluetooth phone call. It stops the audio from routing through the PC when you answer the call on your PC.

Our next update will be in the second week of February with the release of our Patch Tuesday dashboard.

You can find out more how Readiness can help with updating and most importantly testing your application portfolio with our Assurance Unbound offer.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation

Greg Lambert

CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Planning business modernization projects?

  • Windows 10/11 migration
  • MS server 2022
  • Migration to Azure

Is your application estate ready?

Assurance.

Unbounded.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation
Contact us to get started