Microsoft Confirms CVE-2024-37985 as Zero-Day Bug in Windows
Today, Microsoft Security Response Center (MSRC) updated its security advisory to mark CVE-2024-37985 which was disclosed on 09 July 2024, as a zero-day vulnerability. This flaw has been classified as a Windows Kernel Information Disclosure Vulnerability, with a CVSS score of 5.9 (Medium), indicating a notable threat to system security.
The vulnerability stems from a weakness in the Windows kernel, the core part of the Windows operating system responsible for managing system resources and hardware interactions. According to Microsoft, attackers who successfully exploit this vulnerability could access heap memory from a privileged process running on a vulnerable server.
Heap memory is dynamically allocated during the execution of processes. This memory may contain sensitive data, including system information or personal data being processed by critical applications. The ability to access heap memory without authorization can lead to severe information leakage, providing attackers with a foothold to further escalate attacks or compromise sensitive data.
Microsoft has confirmed that the exploit is not trivial, requiring attackers to take additional preparatory actions in the target environment to successfully exploit the flaw. However, once these preconditions are met, the vulnerability opens the door to unauthorized data access.
Despite its public disclosure, Microsoft has withheld specific details about the nature of the attack vectors and techniques used to exploit CVE-2024-37985. This is a common practice when dealing with zero-day vulnerabilities to prevent further exploitation before a broad patch can be deployed.
While this vulnerability has not been classified as “critical,” the information disclosure risk posed by unauthorized access to heap memory should not be underestimated. Malicious actors can leverage such vulnerabilities to gain insight into the internal workings of privileged processes, potentially leading to more severe attacks like privilege escalation or remote code execution down the line.
The disclosure of CVE-2024-37985 came as part of Microsoft’s July 2024 Patch Tuesday security update, which included fixes for 142 vulnerabilities. Among these were two actively exploited zero-day vulnerabilities:
- CVE-2024-38080 – Windows Hyper-V Elevation of Privilege Vulnerability
- CVE-2024-38112 – Windows MSHTML Platform Spoofing Vulnerability
Additionally, two publicly disclosed zero-day vulnerabilities were addressed:
- CVE-2024-35264 – .NET and Visual Studio Remote Code Execution Vulnerability
- CVE-2024-37985 – Windows Kernel Information Disclosure Vulnerability
