Microsoft has successfully addressed a zero-day vulnerability that was actively being exploited to distribute a botnet across systems. The vulnerability, known as Heap-BASED BUFFER OVERFLOW and assigned the CVE-2024-30051 rating (CVSS 3.1: 7.8), affected the Desktop Window Manager (DWM) library. This vulnerability allowed attackers to gain system-level privileges on targeted systems. Microsoft identified and remedied the CVE error as part of their Tuesday Corrections.
The Desktop Window Manager is a Windows service introduced in Windows Vista, designed to enable hardware acceleration for rendering graphic elements of the interface, such as glass windows and 3D animations of transitions.
The vulnerability was initially discovered by specialists at Kaspersky Lab during an investigation of another privilege escalation error within the DWM library (CVE-2023-36033, CVSS 3.1: 7.8). Analysis of recent exploits and related attacks led to the discovery of a suspicious file uploaded to Virustotal on April 1, 2024.
This file contained details of a new vulnerability in DWM that could be exploited to elevate privileges to the System level. The exploitation process outlined in the file closely matched attacks utilizing CVE-2023-36033, despite describing an entirely new vulnerability.
It was observed by Kaspersky Lab that the exploit for this vulnerability was associated with QAKBOT and other malicious programs. Multiple groups are believed to have access to this exploit. Security researchers from Google Threat Analysis Group, DbappSecurity Webin Lab, and Mandiant also alerted Microsoft to the existence of this vulnerability, highlighting its potential widespread exploitation by malicious actors.