Windows users warned of wireless takeover vulnerability
Users are advised to update immediately
Microsoft has confirmed a newly discovered vulnerability which has been rated 8.8 out of a possible 10 by the Common Vulnerability Scoring System.
Some of the alarm expressed about this vulnerability, which has been classified as CVE-2024-30078, is due to the fact that it can be exploited remotely, although physical proximity is necessary.
An unauthenticated attacker can exploit the vulnerability to carry out remote code execution on the compromised device. This vulnerability is not confined to older version of Windows. It affects all supported versions of the operating system.
In a security update Microsoft has confirmed that with physical proximity alone, an attacker could "expect repeatable success against the vulnerable component." Further, Microsoft warns that an attacker requires no authentication as a user before exploiting this vulnerability, nor any access to settings or files on the victim's machine in advance of carrying out the attack.
What's also worrying users is that the user of the compromised device doesn't have to be duped into clicking a link or executing a file. No user action is required.
Microsoft says that exploitation of this flaw is "less likely," probably due to the proximity requirement, but not all security researchers are reassured by this. The fact that the vulnerability affects all versions means it's likely to draw the interest of those with ill intent fairly quickly.
Microsoft has released a security updates in the June 2024 Patch Tuesday to address this vulnerability and advises uses to patch immediately.
The timing of the discovery of this flaw is unfortunate for Microsoft. The company has delayed the availability of its controversial Windows Recall, the Windows 11 AI features that will take screen shots every few seconds and saving them locally to enable users to surface information more quickly.
If data is saved to disk with no additional security measure then that data will be available to anyone with access to the device. And this vulnerability exposes just how easy that could be.