Microsoft has confirmed a security flaw in the Xbox Gaming Service and released a software update that patches it. This was preceded by discussions about whether it was even a security vulnerability.
Advertisement
Filip Dragović discovered the vulnerability and published a Github entry including a proof-of-concept exploit (PoC). The gap affects the Xbox GamingService service, which is not active by default but can be installed in Windows from the Microsoft Store. As Dragović explains, this allows users with low rights to gain SYSTEM rights (CVE-2024-28916, CVSS 8.8Risk “hoch“). In response to the vulnerability report, he received the following response from Microsoft: It appears that no security boundary is being broken here.”
Microsoft: Later U-turn
However, the well-known IT security researcher Will Dormann jumped to Dragović's side.
“I understand that MSRC (Microsoft Security Response Center, Editor's Note) often goes back and forth between what is a security boundary and what is not for some things (i.e. admin to kernel). However, if non-administrative users are reproducible SYSTEM rights and the MSRC says 'that no security limit has been exceeded', one can only be surprised,” writes Dormann on X, formerly Twitter.
Apparently, such reactions led Microsoft to re-examine the assessment. A little later, Dragović wrote on X that Microsoft had corrected the assessment.
“Suddenly the MSRC thinks that this is a real problem. I'm laughing my ass off (Lmao),” Dragović wrote on the screenshot of a message from Microsoft. Accordingly, the MSRC wrote: “We have asked additional team members to review the case. We have concluded that this is a significant threat and have informed the team to correct the reported issue.”
On Wednesday of this week, Microsoft published a vulnerability entry. The assessment of the risk of the gap only just missed “critical” with a CVSS value of 8.8. The update should therefore be distributed automatically. The installation can be accelerated if necessary by calling Windows Update and searching for updates there. Version 19.87.13001.0 and newer fix the security-related bug. The version can be found in Windows Powershell with the command get-appxpackage Microsoft.GamingServices
check, adds Microsoft.
(dmk)