Two months after their revelation at Pwn2Own 2024 in Vancouver, Microsoft has yet to address seven distinct Windows privilege escalation vulnerabilities.
Despite releasing over 60 security fixes in this week's Patch Tuesday, including patches for the actively exploited CVE-2024-30051 and CVE-2024-30040 bugs, Microsoft still lags behind other tech giants like Apple and Google in addressing vulnerabilities uncovered by white hat hackers in March.
To date, only one of these vulnerabilities has been patched. This particular issue also affected Google Chrome, and Microsoft was able to incorporate Google's fix into its Edge browser.
While there is currently no evidence that these unpatched Windows vulnerabilities are being exploited by malicious actors, they have been fully exploited by researchers. According to Trend Micro's Zero Day Initiative (ZDI), which runs Pwn2Own, these vulnerabilities are considered "in the wild."
"These types of bugs are very commonly used by threat actors," says Dustin Childs, head of threat awareness at ZDI. "They're usually combined with a remote code execution bug to take over a system, and they pose a real threat to users everywhere."
Details of the Vulnerabilities
The seven privilege escalation vulnerabilities affect various Windows components, including:
Two use-after-free bugs
A time-of-check to time-of-use (TOCTOU) bug
A heap-based buffer overflow
A privilege context switching error
Improper validation of specified quantity in input
A race condition
Some of these issues are straightforward escalation bugs within the operating system, while others work in combination with virtualisation bugs in guest-to-host escapes.
Further details remain confidential. Pwn2Own grants vendors 90 days after the competition to develop patches. This year's event occurred from March 20–22, giving Microsoft just over a month to address these vulnerabilities.
Microsoft has informed Dark Reading that it is actively working to resolve the vulnerabilities discovered at Pwn2Own 2024 within the 90-day disclosure period.
"Personally, I'm starting to get worried because Microsoft stands alone right now," Childs notes. "VMware has patched. Oracle has patched. Mozilla patched within a couple of days. But obviously, they're dealing with a different level of complexity compared to a browser—patching an OS used by a billion people."
Childs remains cautious but not panicked, acknowledging the challenges of patching an operating system. However, he expresses concern that despite Microsoft's emphasis on security, the company may be overwhelmed with other priorities, risking these vulnerabilities falling by the wayside.
