A nasty zero-day Windows vulnerability that Microsoft’s has so far been unsuccessful at patching (opens in new tab) has finally got an unofficial fix.
The CVE-2021-34484 (and later CVE-2022-21919), a 7.8 severity vulnerability allows elevation of privilege in Windows 10, Windows 11, and Windows Server, but has now been fixed by the 0patch team, and is available for download on this link (opens in new tab) for all registered users.
The flaw was first discovered by security researcher Abdelhamid Naceri, who disclosed it to Microsoft in the summer of 2021, with the company issuing a fix as part of its August 2021 Patch Tuesday.
If it's not broken, don't try to fix it
However, Naceri soon discovered that the patch itself was flawed, and published a proof-of-concept that showcase how an attacker could still abuse the vulnerability. Where Microsoft failed, 0patch succeeded. However, when Microsoft realized the patch failed, it gave the vulnerability a new tracking ID (CVE-2022-21919) and pushed another fix.
This one, according to Naceri, was “worse than the first” as it removed the initial unofficial fix, putting everyone who had applied it, back in harm’s way.
> Windows 11 22H2 Update 'Sun Valley 2': everything we know so far (opens in new tab)
> This Windows Server update is causing a bunch of problems (opens in new tab)
> How to fix a stuck Windows update (opens in new tab)
Now, 0patch has ported the fix, which now works with the March 2022 Patch Tuesday update. Same as with the previous one, this one is free for registered users, as well. Here’s the list of OS versions that can apply it:
Windows 10 v21H1 (32 & 64 bit) updated with March 2022 Updates
Windows 10 v20H2 (32 & 64 bit) updated with March 2022 Updates
Windows 10 v1909 (32 & 64 bit) updated with March 2022 Updates
Windows Server 2019 64 bit updated with March 2022 Updates
0patch’s original patch still works on Windows 10 1803, Windows 10 1809, and Windows 10 2004.
There are no evidence of the flaws being abused in the wild with malware (opens in new tab), or viruses (opens in new tab), the publication confirmed. The devices that reached end of life did not receive the update.
- Stay safe with our list of the best ransomware protection services (opens in new tab) right now
Via: BleepingComputer (opens in new tab)