WTF?! Microsoft became a victim of its own policies as the company left a dangerous security issue unresolved for months. The North Korean hacker group known as Lazarus took advantage of the situation by gaining almost limitless access to Windows' innermost core – the kernel.
For six months, Microsoft was aware of a zero-day security vulnerability actively exploited by hackers. The Lazarus cyber-criminal gang had been using the flaw since August 2023 as a means to install a rootkit known as FudModule.
According to Avast researchers, FudModule is an exceptionally stealthy and advanced malware, but Microsoft made hackers' lives much easier by essentially treating the dangerous flaw as a non issue.
The bug, tracked by Microsoft as CVE-2024-21338, is a Windows kernel elevation of privilege vulnerability. In theory, malicious users with administrative access could exploit the vulnerability to easily interact with the OS kernel. Microsoft's official policies on security servicing criteria state that this kind of "administrator-to-kernel" problem doesn't qualify as a security boundary, meaning the company will likely not rush to close the bug anytime soon.
Avast states that acquiring unrestricted kernel access is the "holy grail" of any rootkit, a stealthy menace usually designed to subvert OS security measures without providing direct signs of its actions. Kernel access can be achieved by exploiting known vulnerabilities in third-party drivers, an approach known as BYOVD (Bring Your Own Vulnerable Driver).
BYOVD is a "noisy" technique that can be intercepted and thwarted by users or security protections, according to Avast. The CVE-2024-21338 flaw, however, resides in Windows' native AppLocker service driver (appid.sys).
Thanks to CVE-2024-21338 and Microsoft's negligence in properly addressing the problem, the FudModule rootkit provided Lazarus hackers with a way to essentially do everything they wanted on a Windows system. The malware could easily bypass security measures, completely hide signs of its malicious deeds (disk files, memory processes, network activity, etc.), and more.
Microsoft finally released a patch to fix CVE-2024-21338 in February 2024, but the original security bulletin provided no relevant information about the true extent and danger of the issue. After Avast publicly spilled the beans about the vulnerability 15 days later, Microsoft was seemingly forced to update its bulletin.
Security experts now hold conflicting stances on Redmond's behavior with CVE-2024-21338. Independent researcher Kevin Beaumont stated that having the "largest market cap in the world" would likely provide enough funds to properly invest in security, while Will Dormann (Analygence) said that Microsoft could have had a "very good reason" (or different engineering priorities) to postpone the CVE-2024-21338 patch by six months.
https://www.techspot.com/news/102131-microsoft-left-kernel-level-zero-day-bug-windows.html
