US government warns federal agencies to patch dangerous Windows kernel bug

A bug granting system privileges was a potentially serious threat

· TechRadar

News By Sead Fadilpašić published 17 December 2024

(Image credit: Elchinator from Pixabay)
  • CISA added two new flaws to its KEV catalog
  • One of the bugs affects the Windows kernel, the other one was found in an Adobe product
  • US government agencies ordered to patch now or risk attack

The US Cybersecurity and Infrastructure Agency (CISA) has added a new Windows flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a deadline to apply a patch, or stop using the software altogether.

The bug is a Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability with a high severity score of 7.8, tracked as CVE-2024-35250.

The bug can be used to gain system privileges in low-complexity attacks that don’t even require any user interaction.

Adobe ColdFusion

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in its advisory.

Since Microsoft did not share any further details about this vulnerability, the publication cited the DEVCORE Research team, who demonstrated how the bug works during this year’s Pwn2Own Vancouver hackathon. The same team reported the bug to Microsoft, who patched it in June’s Patch Tuesday cumulative update, A proof-of-concept (PoC) was released to GitHub a few months later.

When a vulnerability is added to KEV, that means that there is evidence of in-the-wild abuse. Federal agencies have a three-week deadline to apply the patch, or stop using the flawed software.

At the same time, CISA also added an Adobe ColdFusion vulnerability, tracked as CVE-2024-20767. This one is described as an improper access control weakness that grants unauthenticated remote threat actors the ability to read sensitive files. It affects ColdFusion versions 2023.6, 2021.12 and earlier, and has a high severity score of 7.4 - and Adobe patched it in March 2024.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors