Zero-day affecting Windows 10, Windows 11 and Windows Server allows anyone to gain administrator privileges

A new Windows zero-day that affects Windows 10, Windows 11, and Windows Server will allow anyone to gain administrative privileges on a device. It affects all supported versions of Windows and can allow an attacker with limited access to a device to easily elevate their privileges in order to spread across the network.

BeepComputer tested the exploit on Windows and was able to use it to open a command prompt with SYSTEM privileges from an account that only had “Standard” privileges. This vulnerability is a workaround of a patch deployed by Microsoft in response to CVE-2021-41379 and was discovered by a security researcher Abdelhamid Naceri. The fix was applied in this month’s Patch Tuesday release. Naceri posted a proof of concept on GitHub that shows how to exploit the vulnerability, and BeepComputer demonstrated how Naceri’s “InstallerFileTakeOver” exploit works in seconds to gain SYSTEM privileges. It was tested on Windows 10 21H1 build 19043.1348.

“This variant was discovered while analyzing the CVE-2021-41379 patch. the bug was not fixed properly, however, instead of abandoning the workaround,” Naceri explains on GitHub. “I chose to drop this variant because it is more powerful than the original.” Asked by BeepComputer why he publicly disclosed the zero-day vulnerability, he said he did so out of frustration over Microsoft’s cut payouts in its bug bounty program. “Microsoft bounties have been phased out since April 2020, I really wouldn’t if MSFT didn’t make the decision to downgrade those bounties,” he said.

Naceri isn’t the first researcher to voice concerns about Microsoft’s dwindling bug bounty payments. Low-value payments encourage hackers to keep vulnerabilities for themselves, or worse, sell them to others who could use them for malicious purposes.

As part of Microsoft’s new Bug Bounty program, one of my zerodays went from $10,000 to $1,000 💀

—MalwareTech (@MalwareTechBlog) July 27, 2020

We expect Microsoft to attempt to fix this exploit in a future Patch Tuesday update. Naceri says the best solution is to wait for Microsoft to release a security patch for the various Windows versions affected.