Microsoft has had plenty of time to fix a security vulnerability. After the vulnerability was disclosed, a patch was released, and it was proven not to be 100 percent successful. But a third-party security specialist has stepped in to develop a patch for the Windows 10 and 11 security vulnerability.
Windows Security Vulnerability Known Since August
Microsoft has a confirmed vulnerability in Windows 10, 11, and older versions, and it has known about it since August. The company appeared to fix it; however, the same security researcher who discovered the Windows User Profile Service 0day LPE vulnerability found the patch ineffective. The zero-day vulnerability can give hackers access, allowing them to take control of your Windows system.
Security researcher Abdelhamid Naceri reported the proof of concept, and Microsoft released a patch. However, Naceri found that hackers could get past the patch to get system privileges, providing all necessary components were covered. This led to an elevated command prompt when the User Account Control Prompt is shown.
Will Dormann, a CERT/CC vulnerability analyst, tested the patch and found that it worked. Yet, he also found that it didn’t always create the elevated command prompt.
While this flaw is definitely a threat to your Windows system, it requires hackers to know other users’ login details, meaning it can’t affect every system.
It was announced in October that Microsoft’s patch didn’t work. Yet, it’s November, and a new patch still hasn’t been released – by Microsoft.
0patch Releases a Security Patch
0patch, a third-party security specialist, stepped into the void to provide a fix. “Micropatches for this vulnerability will be free until Microsoft has issued an official fix,” announced 0patch.
Information in Naceri’s writeup and POC for the Windows User Profile Service 0Day LPE was used to develop the 0patch micropatch.
“While this vulnerability already has its CVE ID (CVE 2021-33742), we’re considering it to be without an official vendor fix and therefore a 0day,” shared Mitja Kolsek, 0patch co-founder. “Micropatches for this vulnerability will be free until Microsoft has issued an official fix.”
This serves as one of the few times that it won’t help to be working with the latest system update. While Microsoft’s fix was also found to be flawed, the flaw isn’t as damaging to older systems. All versions are vulnerable.
“The vulnerable code is different [in older Windows versions], making the windows for winning the race condition extremely narrow and probably exploitable,” said Kolsek
Nevertheless, staying updated is always a wiser idea than not. Once Windows does issue a fix or patch for the zero-day vulnerability, you’ll want to be using the latest version.