Upcoming Microsoft Windows Security Cutoff Date: The Importance of Upgrading Prior to January 6th
As part of the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency takes its job of safeguarding the U.S. from hacking attempts extremely seriously. Consequently, when they include a Microsoft Windows kernel security vulnerability, such as CVE-2024-35250, into their Known Exploited Vulnerabilities catalog, and set a deadline of Jan. 6, 2025, for updating, it's crucial that you take this warning seriously. Here's a rundown on CVE-2024-35250:
The Windows Kernel Vulnerability CVE-2024-35250 Breakdown
Microsoft classified CVE-2024-35250 as a "Windows Kernel-Mode Driver Elevation of Privilege Vulnerability." They rectified this issue in June, 2024. The glitch, involving an unchecked pointer vulnerability that could potentially allow an attacker to elevate their privileges from local user to administrator, thus securing system access, received a low attack complexity rating. This implies that attackers have somehow been able to exploit it in real-world scenarios, hence its inclusion in the CISA KEV catalog.
Despite the lack of specific details on how this vulnerability is currently being exploited in attacks, leading to its addition to the catalog, the cybersecurity organization that first unveiled CVE-2024-35250 has published a technical report, detailing the Microsoft Kernel Streaming Service's involvement.
CISA Urges Windows Update Before Jan. 6
The CISA KEV catalog is primarily targetted at federal agencies and employees, with legal repercussions for updating within a specified timeframe outlined in Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. Although individuals and non-federal organizations aren't legally bound to adhere to such a binding operational directive, CISA is firm in their suggestion: “CISA strongly advises all organizations to minimize their vulnerability to cyberattacks by prioritizing timely resolution of catalog vulnerabilities within their vulnerability management practice.”
If you haven't applied the fix, which was offered in June, as part of the Patch Tuesday security updates, unless your patch management responsibilities are seriously neglected, now might be the right time to address that. It's worth noting that this vulnerability affects most versions of Windows 10 and Windows Server 2008 and later.
The Cisa, as part of the Dhs, included CVE-2024-3525, a Windows kernel vulnerability, in their Known Exploited Vulnerabilities catalog due to hackers exploiting it. This vulnerability, classified as a "Windows Kernel-Mode Driver Elevation of Privilege Vulnerability," allows attackers to elevate their privileges, posing a significant threat to Windows security. To mitigate this risk, Cisa strongly advises all organizations to update their Windows systems before the deadline of Jan. 6, 2025, as outlined in Binding Operational Directive 22-01.