Another Windows zero day allows for admin privileges

Researcher Abdelhamid Naceri who often reports on Windows bugs this time dropped a working proof-of-concept exploit for admin privileges zero-day on GitHub. According to Naceri it will work on all supported versions of Windows. This particular zero day can allow a potential bad actor to open a command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges. It lets them easily elevate their privileges and spread next within the network. The zero day affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.

New Microsoft bug allows for admin privileges in all supported Windows versions

“We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim’s machine,” a Microsoft spokesperson said in a statement.

The admin privileges zero day was discovered by Naceri when he had been analyzing CVE-2021-41379 patch. Microsoft fixed the vulnerability previously but it turned out be not completely. The researcher afterwards examined it and found a bypass along with new admin privileges zero day. He then decided instead of dropping the bypass to choose the newly discovered vulnerability. He argued that it was more potent than the one uncompletely fixed.

Many researches don`t like Microsoft`s new bug bounty terms

And the reason for making it public lies in researchers’ disappointment with Microsoft’s bug bounty program. He complains that since April 2020 Microsoft bounties have been trashed. And that he really would really wouldn’t do that if MSFT didn’t take the decision to downgrade those bounties. It seems like other researchers also don`t like the new terms of Microsoft’s bounty program.

Most likely Microsoft will release the patch for this admin privileges zero day in the next Patch Tuesday update. For those third-party patching companies to try to fix the vulnerability by attempting to patch the binary Naceri has warnings that it might break the installer. He thinks that due to the complexity of this vulnerability the best solution here will be to wait for Microsoft to release a security patch.

In regard to this zero day the Cisco Talos researchers report that threat actors have already begun to exploit this vulnerability. The researchers were able to identify several malware samples that were already attempting to leverage the exploit. Although they say the volume is low and it means that bad actors just try to work with the proof of concept code or test it for future campaigns.

In case you missed the news we will add here some excerpts of it. In August 2021 Microsoft’s Azure suffered an enormous DDoS attack that peaked at 2.4Tbps. Company however didn`t disclose the attacked customer identity who successfully stood the onslaught. Microsoft also added in a follow up statement that the attack traffic originated from roughly 70,000 sources and from multiple countries in the Asia-Pacific region, such as Malaysia, Japan, Taiwan, Vietnam and China, as well as from the United States.