Hacker publishes Windows Zeroday after Microsoft patch malfunctioning
A security researcher has released a proof-of-concept for a bug in Windows that could allow local privilege escalation. The bug derives from a vulnerability that was patched earlier during Patch Tuesday.
The leak was discovered by security researcher Abdelhamid Naceri. He has posted a working proof-of-concept on GitHub. He calls the bug InstallerFileTakeOver. It is striking that this is a version of a bug that was previously fixed by Microsoft.
Microsoft fixed a similar bug during the most recent Patch Tuesday. It included a patch for CVE-2021-41379, a privilege escalation that made it possible to delete files on a system with admin privileges. It was not possible to read or write files. The bug can be hidden in an msi installer file. System administrators can set user rights so that standard users cannot access them, but according to Naceri, the new zero-day circumvents those policies.
Naceri writes on GitHub that the bug was not properly fixed during Patch Tuesday. “I chose to release this variant now because it is more powerful than the original bug,” he writes. The PoC he published works on Windows 10 and Windows 11, and on Windows Server.
The researcher tells BleepingComputer that he published the malware out of dissatisfaction with Microsoft’s bug bounty program. He says that the company has significantly reduced the price of bug bounties for a year and a half. If the company hadn’t, it wouldn’t have published the bug, he says.