Cybersecurity (opens in new tab) researchers have released an unofficial patch for a bug in Windows 10, originally reported to Microsoft in October 2020, which later research revealed could take the form of a local privilege vulnerability as well.
Issuing the free micropatch, Mitja Kolsek, co-founder of the 0patch micropatching service, explains that it too overlooked the vulnerability initially since it was disclosed as an information disclosure bug, which normally isn’t critical enough to warrant attention from 0patch.
The vulnerability, tracked as CVE-2021-24084, was discovered by security researcher Abdelhamid Naceri, who blogged (opens in new tab) about it in June 2021, detailing its working and noting how it hadn’t yet been fixed by Microsoft.
An upgraded bug
Kolsek banks on a fixed Windows privilege escalation vulnerability, tracked as CVE 2021-36934, to suggest that under certain specific conditions, an arbitrary file disclosure can be upgraded and abused for local privilege escalation.
“In November, however, Abdelhamid pointed out (opens in new tab) that this - still unpatched - bug may not be just an information disclosure issue, but a local privilege escalation vulnerability….We confirmed this by using the procedure described in this blog post by Raj Chandel (opens in new tab) in conjunction with Abdelhamid's bug - and being able to run code as local administrator,” writes Kolsek (opens in new tab), explaining the need to patch the bug.
The unofficial micropatch will work on all affected Windows 10 versions, and as is usual, will be available for free until Microsoft releases an official fix for the issue.
Ensure your systems remain secure and updated using one of these best patch management tools (opens in new tab)