Microsoft finally patches serious Windows kernel security flaw - but not before it was attacked

Six months after being notified, Microsoft makes its move

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Microsofthas finally addressed a high-severity vulnerability that it reportedly knew was being exploited for at least half a year.

The flaw, tracked as CVE-2024-21338, was first discovered by cybersecurity researchers from Avast roughly six months ago.

Described as a Windows Kernel privilege escalation vulnerability, the flaw was discovered in the appid.sys Windows AppLocker driver. It affected multiple versions of bothWindows 10andWindows 11operating systems. It was also found in Windows Server 2019 and 2022.

Patch Tuesday to the rescue

Last year, Avast’s researchers notified Microsoft about the flaw, saying it was being used as a zero-day vulnerability. Since then, some of the world’s biggest and most dangerous threat actors have been actively using the flaw, including the North Koreans.

We recently reported on Lazarus Group, a threat actor known to have ties with the North Korean government,abusing this same flawto gain kernel-level access to vulnerable devices and disable antivirus programs.

To exploit the zero-day, Lazarus used a new version of FudModule, its proprietary rootkit which was first spotted in late 2022. In previous attacks, the rootkit abused aDelldriver, in what’s known as Bring Your Own Vulnerable Driver (BYOVD) attack. Now, FudModule is stealthier and more functional, offering more ways to avoid being detected and turn off endpoint protection solutions.

Apparently, the group used it to disable products such as AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Now, as of mid-February 2024, a patch for the flaw is available. Microsoft also updated its advisory about the vulnerability last week, confirming the flaw being abused in the wild. No details about the attackers were shared, though. “To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system,” Microsoft explained.

Users should install the February Patch Update cumulative update, Microsoft advised.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

3 reasons why PIA fell in our best VPN rankings

Alt + Tab trouble: Windows 11’s 24H2 update turns time-saving shortcut into ten-second headache