Microsoft Yet to Address Seven Zero-Days Vulnerabilities Uncovered in Pwn2Own 2024

May 17, 2024

Microsoft has yet to rectify seven distinct Windows privilege escalation vulnerabilities, which were made public at Pwn2Own 2024 in Vancouver two months ago. Despite this week's Patch Tuesday bringing about 60 security fixes, including solutions for the actively exploited CVE-2024-30051 and CVE-2024-30040 bugs, Microsoft has only patched one of the vulnerabilities disclosed at the event.

In contrast, tech giants like Apple and Google have already resolved the vulnerabilities revealed during the same event. Microsoft managed to fix one issue that also impacted Google Chrome. The fix was incorporated into Microsoft's Edge browser following Google's release of a solution.

Currently, there's no evidence to suggest that these remaining vulnerabilities in Windows are being exploited by cybercriminals. However, as they have been fully exploited by researchers, ZDI, the organizer of Pwn2Own, categorizes them as 'in the wild'. Dustin Childs, head of threat awareness at ZDI, stated, 'These types of bugs are very commonly used by threat actors. They're usually combined with a remote code execution bug to take over a system, and they are a real threat to users everywhere.'

The seven unaddressed privilege escalation vulnerabilities affect different components of Windows. They encompass two use-after-free bugs, a time-of-check to time-of-use (TOCTOU) bug, a heap-based buffer overflow, a privilege context switching error, an improper validation of specified quantity in input, and a race condition. Some of these are simple escalation issues within the operating system, while others work in conjunction with virtualization bugs in guest-to-host escapes. Further details are still confidential.

Pwn2Own typically allows vendors a 90-day period post-competition to develop patches. This year's competition took place from March 20–22, giving Microsoft just over a month to address these issues. Microsoft has acknowledged the validity of these vulnerabilities and confirmed that it is working on solutions.

Childs expressed his concern, 'Personally, I'm starting to get worried because Microsoft stands alone right now. VMware has patched. Oracle has patched. Mozilla patched within a couple of days. But obviously, they're looking at something different than a browser — patching an OS that's used by a billion people. So I'm not hitting the panic button, because I know what it takes to patch an OS. But I am to the point now where, especially because Microsoft has made so much noise about security being at the forefront [for it], and seeing that last month was the largest month ever for Microsoft patches, I am worried that they have so much else going on and these might fall by the wayside.'

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.