uTalk

Information has become available regarding a Microsoft Windows security hole that is currently being actively exploited and could be used by a threat actor to elevate their privileges on impacted systems.

The bug affects an elevation of privilege in the Win32k component and is tracked as CVE-2023-29336. It is given a severity rating of 7.8.

Microsoft stated in an advisory released as part of Patch Tuesday updates last month that "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.".

Jan Vojtek, Milánek, and Luigino Camastra, researchers for Avast, are credited with finding and reporting the flaw.

The graphical device interface (GUI) and window management are handled by Win32k . sys, a kernel-mode driver that is a crucial component of the Windows architecture.

Numen Cyber has dismantled the Microsoft patch to create a proof-of-concept (PoC) exploit for Windows Server 2016, despite the fact that the specifics of in-the-wild abuse of the flaw are currently unknown.

The Singapore-based cybersecurity firm claimed that the flaw depended on the exposed kernel handle address in the heap memory to ultimately obtain a read-write primitive.

According to Numen Cyber, historical Win32k flaws are well-known. "However, Microsoft tried to use Rust to refactor this portion of the kernel code in the most recent Windows 11 preview version. This might eliminate future vulnerabilities in the new system. ".

By highlighting the need for advanced security capabilities and concentrating on OS-level security attack and defense capabilities, Numen Cyber sets itself apart from typical Web3 security companies. Modern solutions to Web3's particular security challenges are provided by their goods and services.

Microsoft has agreed to pay a $20 million fine to resolve according to allegations made by the US Federal Trade Commission (FTC), the company improperly collected and stored the data of kids who registered to use the Xbox gaming console without the knowledge or consent of their parents.

According to Samuel Levine of the FTC, "Our proposed order makes it simpler for parents to protect their children's privacy on Xbox and limits what information Microsoft can collect and retain about children.". "This action should also make it abundantly clear that children's avatars, biometric information, and health information are not exempt from COPPA. ".

As part of the proposed settlement, which is still awaiting court approval, Redmond has been mandated to update its account creation procedures for minors in order to prevent the gathering and storing of data, including obtaining parental consent and deleting said information within two weeks if approval is not obtained.

In addition to requiring biometric data and avatars made from children's faces to adhere to privacy laws, the privacy protections also apply to independent game publishers with whom Microsoft shares children's data.

According to the FTC, Microsoft required those under 13 to provide their first and last names, email addresses, dates of birth, and phone numbers until late 2021, in violation of COPPA's consent and data retention requirements.

Additionally, according to reports, the maker of Windows shared user data with advertisers until 2019 when users agreed to Microsoft's service agreement and advertising policy by default.

The FTC claimed that Microsoft didn't ask users to involve their parents until after they had submitted this personal data. The process of creating the child's account was then completed by the child's parent before the child could get their own account. ".

However, Microsoft made the decision to break U.S. laws protecting children's privacy by keeping the information it collected about children during the account creation step even in cases where a parent did not finish the signup process for years.

The business has also been charged with creating a special persistent identifier for accounts belonging to minors, sharing that information with the creators of outside games and apps, and explicitly requesting that parents opt out in order to prevent their children from accessing outside games and apps on Xbox Live.

Xbox responded by stating that it was taking additional measures to strengthen its age verification processes and to make sure that parents were involved in the creation of child accounts for the service. The specifics of what such a system might be were not made public.

Additionally, it claimed that some of the problems were caused by a technical error that failed to "delete account creation data for child accounts where the account creation process was started but not completed," while emphasizing that the data was promptly deleted and was never "used, shared, or monetized.". ".

The FTC has previously penalized a video game developer for COPPA violations. Epic Games, the company behind Fortnite, reached a $520 million settlement with the organization in December 2022, in part as retaliation for breaking children's online privacy laws.

The penalties follow Microsoft's disclosure that it expects to pay the Irish Data Protection Commission (DPC) fines totaling "about $425 million" in the fourth quarter of 2023 for possibly breaking the General Data Protection Regulation (GDPR) by using LinkedIn users' personal information to serve targeted advertisements.

The development also occurs shortly after the FTC fined Amazon a total of $30.8 million for a series of privacy violations involving its Alexa personal assistant and Ring security cameras.

The Securities and Exchange Commission today filed an emergency action application seeking a temporary restraining order freezing assets, directing defendants to repatriate assets held for the benefit of customers of the Binance.US crypto trading platform, and seeking other emergency relief against Binance Holdings Limited, BAM Trading Services Inc., BAM Management US Holdings, Inc., and their founder, Changpeng Zhao, to ensure that Binance.US customers’ assets are protected and remain in the United States through the resolution of the SEC’s pending litigation of this matter.