May 17, 2024 at 08:09AM
Seven Windows privilege escalation vulnerabilities discovered at Pwn2Own 2024 remain unpatched by Microsoft, with only one fix issued so far. Trend Micro’s Zero Day Initiative, which oversees Pwn2Own, notes the potential threat these bugs pose. Microsoft’s lag in resolving these issues contrasts with prompt actions by other tech companies, prompting concerns about the company’s priorities.
From the meeting notes, the key takeaways are as follows:
– Seven different Windows privilege escalation vulnerabilities revealed at Pwn2Own 2024 remain unaddressed by Microsoft.
– This week’s Patch Tuesday included five dozen security fixes, but Microsoft has not patched numerous bugs uncovered by white hats in March, in contrast to other tech companies.
– Microsoft has only fixed one of the reported vulnerabilities, which was also addressed by Google for its Chrome browser.
– Trend Micro’s Zero Day Initiative (ZDI) considers the outstanding Windows vulnerabilities “in the wild” as they have been fully exploited by researchers and could potentially be used by threat actors.
– The seven privilege escalation bugs impact various Windows components and include different types of vulnerabilities such as use-after-free bugs, time-of-check to time-of-use (TOCTOU) bug, and others.
– Microsoft has confirmed the legitimacy of the bugs and is working on fixes, but there are concerns about the progress in comparison to other tech vendors.
It is clear from the meeting notes that there are significant concerns about the unaddressed Windows vulnerabilities and the progress of Microsoft in addressing them in a timely manner compared to other tech companies.