As the most popular operating system on the planet, it’s no surprise that hackers constantly target Windows. What is more shocking is just how long Microsoft takes to fix things. The Redmond company is only just patching a vulnerability six months after cybersecurity experts highlighted it.
Avast first found and reported the admin-to-kernel exploit in August 2023, showcasing proof of concept. Hidden in AppLocker, the program responsible for whitelisting Windows’ built-in software, the trick is the “holy grail” of rootkit vulnerabilities.
Orchestrated by North Korean malware pushers Lazarus Group, the aim is to gain access to read/write primitives and install the malicious FudModule rootkit undetected. In turn, the DDL bypasses system monitoring features, including protective firewalls and antimalware. The bottom line is that bad actors can play havoc with victims’ kernels, and this has been the case for months now.
“A user-space attacker could abuse it to essentially trick the kernel into calling an arbitrary pointer,” Avast said. “This presented an ideal exploitation scenario, allowing the attacker to call an arbitrary kernel function with a high degree of control over the first argument.”
If it sounds serious, then that’s because it is. Microsoft doesn’t consider this particular type of issue a matter of priority, however. On its Security Servicing page, the company states some systems are “not intended to provide a robust security boundary.” That’s why it took until February to fix it with the CVE-2024-21338 patch.
Worse yet, the company reportedly didn’t admit the exploit was in active use until Avast published its own report. That acknowledgement came in a subsequent update. Microsoft not only needs to get more prompt with its update practices but needs to be clearer in its patch notes when zero-day vulnerabilities are under active exploitation. Somehow, I doubt it’ll get any better when Windows 12 finally rolls around, though.