Microsoft Has Yet to Patch 7 Pwn2Own Zero-Days

A number of serious Windows bugs still havent made their way into criminal circles, but that wont remain the case forever — and time is running short before ZDI releases exploit details.

Seven different Windows privilege escalation vulnerabilities have not yet been addressed by Microsoft, two months after they were revealed at
Pwn2Own 2024 in Vancouver
.
This weeks Patch Tuesday brought with it
five dozen security fixes
, including fixes for the actively exploited CVE-2024-30051 and CVE-2024-30040 bugs. But unlike Apple,
Google
, and others, Microsoft has
not yet patched a host of bugs
uncovered by white hats back in March.
To date, the company has fixed only one. That same issue also affected Google Chrome, so when Google wrote a fix, Microsoft ported it into its Edge browser.
Theres no indication that any of the outstanding Windows vulnerabilities are currently being leveraged by malicious hackers. However, because each has been fully exploited by researchers, Trend Micros Zero Day Initiative (ZDI), which runs Pwn2Own, considers them in the wild.
These types of bugs are very commonly used by threat actors, says Dustin Childs, head of threat awareness at ZDI. Theyre usually combined with a remote code execution bug to take over a system, and they are a real threat to users everywhere.
The seven privilege escalation bugs in question affect various Windows components. They include two use-after-free bugs, a time-of-check to time-of-use (TOCTOU) bug, a heap-based buffer overflow, a privilege context switching error, an improper validation of specified quantity in input, and a race condition.
Some of these are straightforward escalation issues in the operating system. Others work in combination with virtualization bugs in guest-to-host escapes.
Beyond this, details are still being kept confidential. As a rule, Pwn2Own allows vendors 90 days after the competition to work on patches. This years event ran March 20–22, meaning Microsoft still has just over a month to get its house in order.
Microsoft has informed Dark Reading that it is working to address the vulnerabilities uncovered at Pwn2Own 2024 within the 90-day disclosure timeline.
Personally, Im starting to get worried because Microsoft stands alone right now, Childs says. VMware has patched. Oracle has patched. Mozilla patched within a couple of days. But obviously, theyre looking at something different than a browser — patching an OS thats used by a billion people.
So Im not hitting the panic button, because I know what it takes to patch an OS. But I am to the point now where, especially because
Microsoft has made so much noise
about security being at the forefront [for it], and seeing that last month was the
largest month ever for Microsoft patches
, I am worried that they have so much else going on and these might fall by the wayside.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Has Yet to Patch 7 Pwn2Own Zero-Days