A nasty zero-day Windows vulnerability that Microsoft’s has so far been unsuccessful at patching has finally got an unofficial fix.
The CVE-2021-34484 (and later CVE-2022-21919), a 7.8 severity vulnerability allows elevation of privilege in Windows 10, Windows 11, and Windows Server, but has now been fixed by the 0patch team, and is available for download on this link for all registered users.
The flaw was first discovered by security researcher Abdelhamid Naceri, who disclosed it to Microsoft in the summer of 2021, with the company issuing a fix as part of its August 2021 Patch Tuesday.
If it's not broken, don't try to fix it
However, Naceri soon discovered that the patch itself was flawed, and published a proof-of-concept that showcase how an attacker could still abuse the vulnerability. Where Microsoft failed, 0patch succeeded. However, when Microsoft realized the patch failed, it gave the vulnerability a new tracking ID (CVE-2022-21919) and pushed another fix.
This one, according to Naceri, was “worse than the first” as it removed the initial unofficial fix, putting everyone who had applied it, back in harm’s way.
Now, 0patch has ported the fix, which now works with the March 2022 Patch Tuesday update. Same as with the previous one, this one is free for registered users, as well. Here’s the list of OS versions that can apply it:
Windows 10 v21H1 (32 & 64 bit) updated with March 2022 Updates
Windows 10 v20H2 (32 & 64 bit) updated with March 2022 Updates
Windows 10 v1909 (32 & 64 bit) updated with March 2022 Updates
Windows Server 2019 64 bit updated with March 2022 Updates
0patch’s original patch still works on Windows 10 1803, Windows 10 1809, and Windows 10 2004.
There are no evidence of the flaws being abused in the wild with malware, or viruses, the publication confirmed. The devices that reached end of life did not receive the update.
- Stay safe with our list of the best ransomware protection services right now
Via: BleepingComputer