LandzDown Forum

Security => Security Alerts & Briefings => Topic started by: securitybreach on November 23, 2021, 09:25:06 PM

Title: New Windows zero-day with public exploit lets you become an admin
Post by: securitybreach on November 23, 2021, 09:25:06 PM
Quote
A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.

BleepingComputer has tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level 'Standard' privileges.

Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.

The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022....

However, Naceri warned that it is not advised to try and fix the vulnerability by attempting to patch the binary as it will likely break the installer.

"The best workaround available at the time of writing this is to wait Microsoft to release a security patch, due to the complexity of this vulnerability," explained Naceri.

"Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again."

https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/
Title: Re: New Windows zero-day with public exploit lets you become an admin
Post by: Corrine on November 23, 2021, 09:30:25 PM
Quote
"The best workaround available at the time of writing this is to wait Microsoft to release a security patch, due to the complexity of this vulnerability," explained Naceri.

Plus, practice safe computing.  Due to the upcoming Thanksgiving holiday, I have the feeling we won't see an "Out of Band" update and may have to wait until December 14th (the next "Patch Tuesday").
Title: Re: New Windows zero-day with public exploit lets you become an admin
Post by: securitybreach on November 23, 2021, 09:34:38 PM
Yeah, unfortunately I think you are correct about that.
Title: Re: New Windows zero-day with public exploit lets you become an admin
Post by: Digerati on November 24, 2021, 12:56:06 PM
Quote
When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft's decreasing payouts in their bug bounty program.

So in other words, the crybaby disclosed the zero-day vulnerability totally out of greed because his reward would only be $1,000 instead of the $10,000 he thought he deserved.  >:(

What a brat.

Let's not forget how this particular vulnerability may be exploited. The bad guy must have "limited access to a compromised device". That is, the bad guy must have physical access to the machine. How likely is that to happen and go unnoticed?

And then he or she must somehow be able to log into that Standard account. How? With the username "standard" and password, "12345678"?  It is not like a hacker in N. Korea or Iran can suddenly gain admin privileges on our systems with a couple clicks of his mouse.

"Security researcher"? Yeah right! He's a hacker. And not a white hat hacker either.





Title: Re: New Windows zero-day with public exploit lets you become an admin
Post by: xrobwx71 on November 26, 2021, 02:33:26 PM
I would be more worried about slack remote connection policies. This would give an antagonist physical access as if they were there. They could also do it undetected if other vulnerabilities were present. ie: SSH, RDP, etc.
Title: Re: New Windows zero-day with public exploit lets you become an admin
Post by: Digerati on November 26, 2021, 03:28:40 PM
Quote
I would be more worried about slack remote connection policies.

This is true. And I am not trying to minimize the severity of that vulnerability. And certainly, Microsoft needs to patch it quickly. But realistically, how worried are you that this might happen with one of your computers? Or the computers belonging to your family, friends and clients?

That is, how many users do you know even have remote access set up? That is, to allow access from outside their own network? I think I know two, and both are IT professionals. How many users do you know leave their computers out, unattended and exposed where strangers or untrustworthy users can sit down at that computer and exploit this vulnerability?

So I think that illustrates my point, but from a different angle. That "security researcher" ::)  had his little puerile tantrum because his reward was not as big as he greedily thought it should be. Yet we have to wonder, how serious, or rather how likely is it that this vulnerability will be exploited? How many users are likely to be victimized? I have to think it would be very few.

Now I don't know about others, or that security researcher, but a $1000 "reward" is not chump-change to me. This guy is not a Microsoft employee. He didn't risk his life or his own security. He was not hired by or contracted by Microsoft to find security flaws in Windows.

He did not selflessly sacrifice anything! And yet he's so mad at Microsoft because they wouldn't give him $10,000, that he selfishly and recklessly put others at risk!  >:( >:( >:(