March 21, 2024 at 09:45AM
Microsoft has released a patch for an Xbox vulnerability (CVE-2024-2891) categorized as ‘important’ severity, allowing local attackers with low privileges to escalate to System. The fix is automatically delivered to users with automatic updates enabled. This follows initial reluctance by Microsoft to acknowledge the issue, which was later publicly disclosed by the reporting researcher.
The meeting notes reveal that Microsoft has released a patch for an important-severity CVE-2024-2891 vulnerability impacting Xbox Gaming Services. The vulnerability can be exploited by a local attacker with low privileges to escalate permissions to System. The patch is available in app package versions 19.87.13001.0 and later, with automatic delivery for users with enabled updates. Filip Dragovic reported the vulnerability, which was publicly disclosed. Although there is no evidence of malicious exploitation, the flaw has an ‘exploitation more likely’ rating. After initial dispute, Microsoft acknowledged the severity and began working on a fix, which was announced on March 20. It remains uncertain if a bug bounty will be paid out due to the public disclosure of the flaw and lack of coordination with Microsoft. The company offers a dedicated Xbox bug bounty program with rewards typically ranging between $500 and $20,000. This information highlights the importance of coordinated vulnerability disclosure and the potential consequences of public disclosure before patches are available.