Microsoft has yet to address seven Windows privilege escalation vulnerabilities discovered at Pwn2Own 2024 [1] [2], raising concerns about potential exploitation by threat actors [2].

Description

The vulnerabilities include use-after-free bugs, a TOCTOU bug [2], a heap-based buffer overflow [2], privilege context switching [1], input validation [1], and race condition issues [1]. While some bugs have been fixed [2], Microsoft still has over a month to address the remaining issues before ZDI releases exploit details [2]. Trend Micro’s ZDI considers these unaddressed vulnerabilities “in the wild” and warns of their potential exploitation by threat actors [2]. Microsoft has assured that it is working to address these vulnerabilities within the 90-day disclosure timeline [1] [2], amidst concerns about its ability to prioritize security amidst a high volume of patches [1].

Conclusion

The unaddressed vulnerabilities pose a significant risk and highlight the importance of timely patching and prioritizing security. Microsoft’s efforts to address these issues within the disclosure timeline will be crucial in mitigating potential threats and ensuring the security of Windows systems.

References

[1] https://ciso2ciso.com/microsoft-has-yet-to-patch-7-pwn2own-zero-days-source-www-darkreading-com/
[2] https://www.darkreading.com/vulnerabilities-threats/microsoft-has-yet-to-patch-7-pwn2own-zero-days