Microsoft has finally addressed a very serious vulnerability that the company reportedly knew was being exploited for at least six months.
The flaw, tracked as CVE-2024-21338, was first discovered by Avast cybersecurity researchers about six months ago.
Described as a Windows Kernel Privilege Escalation vulnerability, the flaw was discovered in the appid.sys Windows AppLocker driver. It affected multiple versions of both Windows 10 and Windows 11 operating systems. It was also found in Windows Server 2019 and 2022.
Patch Tuesday to the rescue
Last year, Avast researchers notified Microsoft of the flaw and said it was being used as a zero-day vulnerability. Since then, some of the world’s largest and most dangerous threat actors have actively exploited the flaw, including the North Koreans.
We recently reported on Lazarus Group, a threat actor known to have ties to the North Korean government, exploiting the same flaw to gain kernel-level access to vulnerable devices and disable antivirus programs.
To exploit the zero-day, Lazarus used a new version of FudModule, its proprietary rootkit first spotted in late 2022. In previous attacks, the rootkit exploited a Dell driver in a so-called Bring Your Own Vulnerable Driver (BYOVD) attack. . Now FudModule is more discreet and functional, offering more ways to avoid detection and disable endpoint protection solutions.
Apparently the group used it to disable products such as AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.
Now, as of mid-February 2024, a patch for the bug is available. Microsoft also updated its advisory on the vulnerability last week, confirming that the flaw is being exploited in the wild. However, no details about the attackers were shared. “To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system,” Microsoft explains.
Users should install the February patch update cumulative update, Microsoft advised.
Through BleepingComputer
