Microsoft is currently under scrutiny for its failure to address seven privilege escalation vulnerabilities in Windows, which were initially revealed two months ago at the Pwn2Own 2024 event in Vancouver. Despite the recent Patch Tuesday release that included dozens of security fixes, Microsoft has yet to patch the aforementioned vulnerabilities, unlike its counterparts like Apple and Google.
One of the lingering issues Microsoft has failed to address is a bug that also affected Google Chrome. While Google swiftly developed a fix for the issue, Microsoft only integrated it into its Edge browser. This delay in addressing critical vulnerabilities has raised concerns among cybersecurity experts, especially considering the potential risks associated with unpatched bugs.
Although there is currently no evidence of malicious exploitation of these vulnerabilities, security researchers have fully exploited them, prompting Trend Micro’s Zero Day Initiative (ZDI) to classify them as “in the wild.” Dustin Childs, head of threat awareness at ZDI, emphasized the severity of these bugs, stating that threat actors commonly leverage them in combination with other vulnerabilities to compromise systems.
The seven privilege escalation bugs affecting various Windows components include use-after-free bugs, a time-of-check to time-of-use (TOCTOU) bug, a heap-based buffer overflow, a privilege context switching error, an improper validation of specified input, and a race condition. While some bugs facilitate straightforward escalation in the operating system, others can be exploited in conjunction with virtualization bugs for guest-to-host escapes.
As per the standard practice of Pwn2Own, participating vendors are given 90 days post-competition to address identified vulnerabilities. With Microsoft still having a month left to develop patches since the March event, the company has acknowledged the existence of the bugs and is reportedly working on fixes. However, concerns have been raised regarding the delay compared to other vendors who have promptly patched their systems.
Childs expressed apprehension about Microsoft’s current stance on security, especially in light of its recent emphasis on cybersecurity. Given the company’s substantial user base and past security issues, there is growing concern that the unaddressed vulnerabilities may pose a significant threat if not promptly resolved. Childs highlighted the need for Microsoft to prioritize patching these bugs, considering the potential consequences of neglecting critical security updates.
In conclusion, Microsoft’s delay in addressing the series of privilege escalation vulnerabilities in Windows has underscored the importance of timely security patching and threat mitigation. As the cybersecurity landscape continues to evolve, it is imperative for companies like Microsoft to stay vigilant and proactive in safeguarding their systems against potential threats.