Microsoft finally patches serious Windows kernel security flaw - but not before it was attacked

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

Microsoft has finally addressed a high-severity vulnerability that it reportedly knew was being exploited for at least half a year.

The flaw, tracked as CVE-2024-21338, was first discovered by cybersecurity researchers from Avast roughly six months ago. 

Described as a Windows Kernel privilege escalation vulnerability, the flaw was discovered in the appid.sys Windows AppLocker driver. It affected multiple versions of both Windows 10 and Windows 11 operating systems. It was also found in Windows Server 2019 and 2022.

Patch Tuesday to the rescue

Last year, Avast’s researchers notified Microsoft about the flaw, saying it was being used as a zero-day vulnerability. Since then, some of the world’s biggest and most dangerous threat actors have been actively using the flaw, including the North Koreans. 

We recently reported on Lazarus Group, a threat actor known to have ties with the North Korean government, abusing this same flaw to gain kernel-level access to vulnerable devices and disable antivirus programs. 

To exploit the zero-day, Lazarus used a new version of FudModule, its proprietary rootkit which was first spotted in late 2022. In previous attacks, the rootkit abused a Dell driver, in what’s known as Bring Your Own Vulnerable Driver (BYOVD) attack. Now, FudModule is stealthier and more functional, offering more ways to avoid being detected and turn off endpoint protection solutions.

Apparently, the group used it to disable products such as AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.

Now, as of mid-February 2024, a patch for the flaw is available. Microsoft also updated its advisory about the vulnerability last week, confirming the flaw being abused in the wild. No details about the attackers were shared, though. "To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system," Microsoft explained.

Users should install the February Patch Update cumulative update, Microsoft advised.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.