Microsoft has confirmed the vulnerability, CVE-2024-30078, can be remotely executed if the attacker is within WiFi range. It affects all versions of Windows, old and new. Non-supported versions of Windows like Windows 7 and 8 are not going to be patched.
The attack requires no authentication, no access to any files or settings and the victim does not need to click on a link or open an attachment file. If the attack is successful the user “will experience a total loss of confidentiality”, which is Microsoft’s way of any data that the victim can see is at risk.
A zero-interaction attack means that the user is highly unlikely to even know that he or she has been compromised. While it was not being actively exploited before the patch, it is likely it is or wil be soon since the attack complexity is low. I am confident that this bug is patched in this month’s patch bundle but I am seeing conflicting KB numbers with the specifics of the patch.
Credit: Computing