Microsoft has responded to a critical security issue by releasing a patch to address a vulnerability affecting the Xbox Gaming Services. Initially tracked as CVE-2024-28916, the severity of the vulnerability was underplayed by Microsoft until subsequently being corrected to an ‘important’ rating. This flaw enables a local attacker with low privileges to efficiently escalate permissions to the System level, requiring local access to the targeted machine and the ability to create folders and performance traces. Microsoft clarified that users with app package versions 19.87.13001.0 and later will have the vulnerability patched automatically if automatic updates are enabled.
Filip Dragovic was credited for bringing this vulnerability to Microsoft’s attention, and it was publicly disclosed soon after. Dragovic’s displeasure arose from Microsoft’s initial denial of the vulnerability, eventually prompting the disclosure of a proof-of-concept exploit and technical details demonstrating the flaw’s potential exploitability. Will Dormann, a renowned cybersecurity researcher, swiftly confirmed Dragovic’s findings, marking a pivotal milestone in the public recognition of the flaw’s seriousness.
Following the public disclosure and the validation by Dormann, Microsoft promptly acknowledged the issue’s importance and initiated efforts to release a fix. The tech giant released an advisory on March 20, addressing the Xbox Gaming Services vulnerability. Notably, the public disclosure of the flaw prior to Microsoft’s patch release raises questions about potential bug bounty payouts, as it went against Microsoft’s request for coordination and publication after a patch was made available. Microsoft’s dedicated Xbox bug bounty program, with rewards ranging from $500 to $20,000, includes a provision for important-severity privilege escalation vulnerabilities earning researchers between $1,000 and $5,000, contingent upon the quality of the reported flaw.
