Microsoft Yet to Address Seven Privilege Escalation Vulnerabilities Revealed at Pwn2Own 2024

Microsoft has yet to patch 7 critical Windows vulnerabilities from Pwn2Own 2024, raising concerns about user security.

Microsoft Yet to Address Seven Privilege Escalation Vulnerabilities Revealed at Pwn2Own 2024

The Deadly 7

Microsoft has yet to patch seven critical Windows privilege escalation vulnerabilities two months after their disclosure at the Pwn2Own 2024 competition in Vancouver. This week's Patch Tuesday delivered 60 security fixes, including patches for the actively exploited CVE-2024-30051 and CVE-2024-30040 bugs. However, Microsoft lags behind other tech giants like Apple and Google in addressing several bugs identified by cybersecurity researchers in March.

To date, Microsoft has patched only one of the vulnerabilities. This issue also affected Google Chrome, and Microsoft was able to implement the fix in its Edge browser after Google addressed it.

Although there is no current evidence of these vulnerabilities being exploited by malicious hackers, Trend Micro's Zero Day Initiative (ZDI), which manages Pwn2Own, considers them "in the wild" since researchers have fully exploited each bug. "These types of bugs are very commonly used by threat actors," said Dustin Childs, head of threat awareness at ZDI. "They're usually combined with a remote code execution bug to take over a system, and they are a real threat to users everywhere."

The seven unresolved privilege escalation vulnerabilities affect various Windows components, including:

  • Two use-after-free bugs
  • A time-of-check to time-of-use (TOCTOU) bug
  • A heap-based buffer overflow
  • A privilege context switching error
  • An improper validation of specified quantity in input
  • A race condition

While some of these issues are straightforward escalation problems within the operating system, others involve more complex combinations with virtualization bugs in guest-to-host escapes.

Despite the concern, details about these vulnerabilities remain confidential as per Pwn2Own's policy, which allows vendors 90 days to work on patches. With this year's event occurring from March 20-22, Microsoft still has just over a month to address these issues.