Zero-day affecting Windows 10, Windows 11, and Windows Server lets anyone gain administrator privileges
A new Windows zero-day that affects Windows 10, Windows 11, and Windows Server will allow anyone to gain administrative privileges on a device. It affects all supported versions of Windows and can allow an attacker with limited access to a device to easily elevate their privileges in order to spread across the network.
BleepingComputer has tested the exploit on Windows and was able to use it to open a command prompt with SYSTEM privileges from an account that only had “Standard” privileges. This vulnerability is a bypass to a patch rolled out by Microsoft in response to CVE-2021-41379 and was discovered by security researcher Abdelhamid Naceri. The patch was applied in this month’s Patch Tuesday release. Naceri released a proof-of-concept on GitHub that shows how to exploit the vulnerability, and BleepingComputer demonstrated how Naceri’s “InstallerFileTakeOver” exploit works in mere seconds to gain SYSTEM privileges. It was tested on Windows 10 21H1 build 19043.1348.
“This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass,” explains Naceri on GitHub. “I have chosen to actually drop this variant as it is more powerful than the original one.” When asked by BleepingComputer why he disclosed the zero-day vulnerability publicly, he said that he did it out of frustration over Microsoft’s reducing payouts in its bug bounty program. “Microsoft bounties has been trashed since April 2020, I really wouldn’t do that if MSFT didn’t take the decision to downgrade those bounties,” he said.
Naceri isn’t the first researcher to voice his concerns regarding Microsoft’s decreased bug bounty payouts. Lower value payouts encourage hackers to keep vulnerabilities to themselves, or worse, sell them to others who may use them maliciously.
Under Microsoft’s new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 💀
— MalwareTech (@MalwareTechBlog) July 27, 2020
We expect that Microsoft will attempt to patch this exploit in a future Patch Tuesday update. Naceri says that the best workaround is to wait for Microsoft to release a security patch for the different Windows versions affected.