New Microsoft Windows Security Deadline—CISA Says Update Before Jan. 6

As part of the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency takes its role in helping to protect the U.S. from hack attacks very seriously indeed. So, when it adds a Microsoft Windows kernel security vulnerability to the Known Exploited Vulnerabilities catalog, and says you have until Jan. 6, 2025, to update, you should take this notice equally seriously. Here’s what you need to know about CVE-2024-35250.

Microsoft Confirms Critical Windows Defender Security VulnerabilityBy Davey Winder

The Windows Kernel CVE-2024-35250 Vulnerability Explained

CVE-2024-35250 was described by Microsoft as being a “Windows Kernel-Mode Driver Elevation of Privilege Vulnerability” and was patched by the technology behemoth in June, 2024. The flaw, concerning an untrusted pointer vulnerability that could, if exploited, give an attacker a way to escalate their privileges from local to admin, thus gaining system access, was given an attack complexity rating of low. This is important as, it would appear, attackers have managed to exploit it in the wild, hence it’s addition to the CISA KEV catalog.

Although details of how this vulnerability is actually being exploited in the attacks that have led CISA to add it to the catalog, the cybersecurity outfit which first disclosed CVE-2024-35250 has published a technical report revealing how Microsoft Kernel Streaming Service is involved.

Microsoft Warning As No-User-Interaction 2FA Bypass Attack ConfirmedBy Davey Winder

Update Windows Before Jan. 6, CISA Warns

CISA’s KEV catalog is aimed squarely at federal agencies and employees, with legal implications for updating within a set time period laid out in Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. If this all sounds a bit formal and big government, that’s because it is. However, that’s not a reason to think the advice doesn’t apply to you. While, obviously, individuals and non-federal organizations have no legal obligation to apply by such a binding operational directive, CISA makes its recommendations quite clear: “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.”

The good news is that you should have already applied the fix, which came as part of the Patch Tuesday security round-up in June, unless you are very lax in your patch management responsibilities. If, for whatever reason, you have not been keeping on top of your Windows security updates, may I suggest now is the time to rectify that. Especially as this particular vulnerability affects pretty much all versions from Windows 10 and Windows Server 2008 onwards.

New Windows 0Day Attack Strikes—Microsoft Warns Millions To Update NowBy Davey Winder