Security researcher Abdelhamid Naceri has discovered a new zero-day vulnerability that allows a person to gain SYSTEM privileges in a matter of seconds. The vulnerability is known to affect all supported versions of Windows, including Windows 10, Windows 11, and Windows Server.
The published script launches the command prompt with SYSTEM privileges from a user account with standard privileges.
Microsoft has fixed CVE-2021-41379 with the November 2021 hotfix, a Windows Installer privilege escalation vulnerability that Naceri also discovered.
Naceri discovered a new exploit version while analyzing CVE-2021-41379, noting that the original issue had not been fixed correctly. He chose not to publish a workaround for the fix that Microsoft released, stating that the new version he posted was more powerful than the original.
Abdelhamid Naceri has released public information about the vulnerability due to frustration with the Microsoft Bug Bounty program. The fact is that in April 2020, Microsoft reduced the amount of rewards for discovered vulnerabilities in its products. For example, the company used to pay about $ 10,000 for a zero-day vulnerability, while now the remuneration is only $ 1,000.
Under Microsoft's new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 💀
— MalwareTech (@MalwareTechBlog) July 27, 2020
To test the exploit, BleepingComputer launched the script on Windows 10 version 21H1 (build 19043.1348), and confirmed that it does its work successfully.
Naceri also explained that Windows includes group policies to prevent 'Standard' users from performing MSI installer operations, but his exploit bypasses this policy and remains fully functional.
Microsoft is aware of the public disclosure for this vulnerability. The company is expected to release a fix for it as soon as possible.
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
I have stopped receiving your daily email blogs. Do I have to use an alternative now please?