Microsoft Has Yet to Patch 7 Pwn2Own Zero-Days

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Has Yet to Patch 7 Pwn2Own Zero-Days


A number of serious Windows bugs still havent made their way into criminal circles, but that wont remain the case forever — and time is running short before ZDI releases exploit details.



Seven different Windows privilege escalation vulnerabilities have not yet been addressed by Microsoft, two months after they were revealed at
Pwn2Own 2024 in Vancouver
.
This weeks Patch Tuesday brought with it
five dozen security fixes
, including fixes for the actively exploited CVE-2024-30051 and CVE-2024-30040 bugs. But unlike Apple,
Google
, and others, Microsoft has
not yet patched a host of bugs
uncovered by white hats back in March.
To date, the company has fixed only one. That same issue also affected Google Chrome, so when Google wrote a fix, Microsoft ported it into its Edge browser.
Theres no indication that any of the outstanding Windows vulnerabilities are currently being leveraged by malicious hackers. However, because each has been fully exploited by researchers, Trend Micros Zero Day Initiative (ZDI), which runs Pwn2Own, considers them in the wild.
These types of bugs are very commonly used by threat actors, says Dustin Childs, head of threat awareness at ZDI. Theyre usually combined with a remote code execution bug to take over a system, and they are a real threat to users everywhere.
The seven privilege escalation bugs in question affect various Windows components. They include two use-after-free bugs, a time-of-check to time-of-use (TOCTOU) bug, a heap-based buffer overflow, a privilege context switching error, an improper validation of specified quantity in input, and a race condition.
Some of these are straightforward escalation issues in the operating system. Others work in combination with virtualization bugs in guest-to-host escapes.
Beyond this, details are still being kept confidential. As a rule, Pwn2Own allows vendors 90 days after the competition to work on patches. This years event ran March 20–22, meaning Microsoft still has just over a month to get its house in order.
Microsoft has informed Dark Reading that it is working to address the vulnerabilities uncovered at Pwn2Own 2024 within the 90-day disclosure timeline.
Personally, Im starting to get worried because Microsoft stands alone right now, Childs says. VMware has patched. Oracle has patched. Mozilla patched within a couple of days. But obviously, theyre looking at something different than a browser — patching an OS thats used by a billion people.
So Im not hitting the panic button, because I know what it takes to patch an OS. But I am to the point now where, especially because
Microsoft has made so much noise
about security being at the forefront [for it], and seeing that last month was the
largest month ever for Microsoft patches
, I am worried that they have so much else going on and these might fall by the wayside.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Has Yet to Patch 7 Pwn2Own Zero-Days