Seven different Windows privilege escalation vulnerabilities have not yet been addressed by Microsoft, two months after they were revealed at Pwn2Own 2024 in Vancouver.
This week’s Patch Tuesday brought with it five dozen security fixes, including fixes for the actively exploited CVE-2024-30051 and CVE-2024-30040 bugs. But unlike Apple, Google, and others, Microsoft has not yet patched a host of bugs uncovered by white hats back in March.
To date, the company has fixed only one. That same issue also affected Google Chrome, so when Google wrote a fix, Microsoft ported it into its Edge browser.
There’s no indication that any of the outstanding Windows vulnerabilities are currently being leveraged by malicious hackers. However, because each has been fully exploited by researchers, Trend Micro’s Zero Day Initiative (ZDI), which runs Pwn2Own, considers them “in the wild.”
“These types of bugs are very commonly used by threat actors,” says Dustin Childs, head of threat awareness at ZDI. “They’re usually combined with a remote code execution bug to take over a system, and they are a real threat to users everywhere.”
Windows Pwn2Own Bugs
The seven privilege escalation bugs in question affect various Windows components. They include two use-after-free bugs, a time-of-check to time-of-use (TOCTOU) bug, a heap-based buffer overflow, a privilege context switching error, an improper validation of specified quantity in input, and a race condition.
Some of these are straightforward escalation issues in the operating system. Others work in combination with virtualization bugs in guest-to-host escapes.
Beyond this, details are still being kept confidential. As a rule, Pwn2Own allows vendors 90 days after the competition to work on patches. This year’s event ran March 20–22, meaning Microsoft still has just over a month to get its house in order.
Microsoft has informed Dark Reading that it is working to address the vulnerabilities uncovered at Pwn2Own 2024 within the 90-day disclosure timeline.
“Personally, I’m starting to get worried because Microsoft stands alone right now,” Childs says. “VMware has patched. Oracle has patched. Mozilla patched within a couple of days. But obviously, they’re looking at something different than a browser — patching an OS that’s used by a billion people.
“So I’m not hitting the panic button, because I know what it takes to patch an OS. But I am to the point now where, especially because Microsoft has made so much noise about security being at the forefront [for it], and seeing that last month was the largest month ever for Microsoft patches, I am worried that they have so much else going on and these might fall by the wayside.”
Source: www.darkreading.com