Seven different Windows privilege escalation vulnerabilities have not yet been addressed by Microsoft, two months after they were revealed at Pwn2Own 2024 in Vancouver.
This week's Patch Tuesday brought with it five dozen security fixes, including fixes for the actively exploited CVE-2024-30051 and CVE-2024-30040 bugs.
Google, and others, Microsoft has not yet patched a host of bugs uncovered by white hats back in March.
That same issue also affected Google Chrome, so when Google wrote a fix, Microsoft ported it into its Edge browser.
There's no indication that any of the outstanding Windows vulnerabilities are currently being leveraged by malicious hackers.
The seven privilege escalation bugs in question affect various Windows components.
They include two use-after-free bugs, a time-of-check to time-of-use bug, a heap-based buffer overflow, a privilege context switching error, an improper validation of specified quantity in input, and a race condition.
Some of these are straightforward escalation issues in the operating system.
Others work in combination with virtualization bugs in guest-to-host escapes.
Beyond this, details are still being kept confidential.
As a rule, Pwn2Own allows vendors 90 days after the competition to work on patches.
This year's event ran March 20-22, meaning Microsoft still has just over a month to get its house in order.
Microsoft has informed Dark Reading that it is working to address the vulnerabilities uncovered at Pwn2Own 2024 within the 90-day disclosure timeline.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 17 May 2024 12:00:13 +0000