Microsoft Patches Critical Xbox Vulnerability After Initial Dismissal
Charles M. Walls | March 21, 2024 | Views: 365
Microsoft has addressed a significant security concern within its Xbox Gaming Services by deploying a critical update, following an initial oversight where the issue was dismissed as non-critical by the company.
Dubbed CVE-2024-2891, the flaw presents an 'important' level of severity, as classified by Microsoft. This vulnerability offered a backdoor for attackers with minimal system access—equivalent to that of a standard user—to gain elevated system privileges. Essentially, individuals with the capability to create folders and performance traces on a device could exploit this flaw, Microsoft detailed in a statement.
Highlighting the importance of keeping software up-to-date, Microsoft has announced that versions 19.87.13001.0 and onwards of the app package come fortified against this vulnerability. Those who keep their systems updated automatically should receive this patch without needing to take additional action.
The discovery of CVE-2024-2891 was credited to Filip Dragovic, whose diligent reporting led to the public disclosure of this issue. Despite there being no current reports of this vulnerability being maliciously exploited, it has been deemed 'exploitation more likely' in terms of risk assessment.
The journey to recognizing the gravity of this flaw was not straightforward. Dragovic initially faced challenges in getting Microsoft to acknowledge the vulnerability, leading him to release a proof-of-concept (PoC) exploit. This detailed demonstration included technical insights and a video, showcasing the exploit in operation, emphasizing the potential for lower-privilege users to escalate their control to system level through the GamingService component, which isn't installed by default.
The cybersecurity community quickly took note of Dragovic's findings, with notable researcher Will Dormann confirming the vulnerability shortly after it was made public. This rapid verification prompted Microsoft to re-evaluate the issue, subsequently classifying it as 'important' and initiating the development of a patch, which was announced on March 20.
There remains speculation about whether Microsoft will offer a bug bounty for this discovery. Typically, Microsoft rewards discoveries of such nature through its Xbox bug bounty program, which offers rewards ranging from $500 to $20,000, depending on the severity and the quality of the report. However, because the flaw was disclosed publicly prior to Microsoft's patch and without direct coordination with the company, it's uncertain if Dragovic will receive compensation.
This incident underscores the critical nature of security in the gaming industry and the importance of collaborative efforts between tech giants and the cybersecurity community to ensure a safe gaming experience for all.
