Just when you thought it was safe to go back into the Windows waters, a new security shock surfaces. According to a Bleeping Computer report, a failed November Patch Tuesday fix could leave millions of Windows 10, Windows 11 and Windows Server users at risk of system takeover.
The most recent round of security fixes that landed just a couple of weeks ago as part of the monthly Patch Tuesday rollout included one for CVE-2021-41379. This Windows Installer elevation of privilege vulnerability could have given anyone with local access to your Windows computer the means to meddle with files they shouldn’t be able to access. However, in the update guide at the time, Microsoft stated that an attacker would “only be able to delete targeted files” on the system rather than gain the privileges required to view or otherwise modify the contents.
Still, this zero-day, like all vulnerabilities, warranted attention and a fix. Which we thought had arrived. We were wrong, it would seem. What’s more, things have gone from bad to worse.
The researcher who discovered that original vulnerability, Abdelhamid Naceri, has now published a proof of concept (PoC) for a new zero-day targeting the Microsoft fix. The new zero-day works across all versions of Windows, well, at least the supported ones: Windows 10, Windows 11 and Windows Server. What’s more, it can elevate local user privileges to system ones, giving an attacker admin rights to the machine.
Naceri told Bleeping Computer he had gone public this time rather than disclose through the official Microsoft bug bounty program because that program had been “trashed since April 2020.” As mentioned by many vulnerability researchers, this appears to be a reference in the substantial monetary value drop of many bounties.
OK, so just how serious is this new exploit? Well, anything that can elevate privileges from user to admin has to be taken seriously; that’s a given. That it has been disclosed publicly just adds to the concern. The impact, however, is mitigated somewhat by the fact that local user access to the machine is required. What is more serious is that this is yet another example of Microsoft not properly fixing a security issue. The PrintNightmare emergency patching fiasco must still be fresh in the minds of many, I would imagine.
In his PoC write-up at Github, Naceri warns that there are no workarounds currently and the best thing for users to do is wait until Microsoft releases a patch. This means, I would imagine, looking out for the December Patch Tuesday rollout in a few weeks.
I have contacted Microsoft for a statement and will update this article to report anything further.