Security News > 2021 > November > Windows 10 Privilege-Escalation Zero-Day Gets an Unofficial Fix
A partially unpatched security bug in Windows that could allow local privilege escalation from a regular user to System remains unaddressed fully by Microsoft - but an unofficial micropatch from oPatch has hit the scene.
"The vulnerability lies in the User Profile Service, specifically in the code responsible for creating a temporary user profile folder in case the user's original profile folder is damaged or locked for some reason," explained 0Patch's Mitja Kolsek in a Thursday writeup.
The exploit is straightforward: An attacker would create a specially crafted symbolic link, then would need to save it in the temporary user profile folder.
When the User Profile Service copies a folder from user's original profile folder as described by Kolsek, the symbolic link will force it to create a folder containing a malicious library payload somewhere else where the attacker would normally not have permissions to create one.
"Microsoft, even though believing the vulnerability only allowed for deletion of an arbitrarily 'symlinked' folder, made a conceptually correct fix: it checked whether the destination folder under C:UsersTEMP was a symbolic link, and aborted the operation if so," explained Kolsek.
"The incompleteness of this fix, as noticed by Abdelhamid, was in the fact that the symbolic link need not be in the upper-most folder, but in any folder along the destination path."
News URL
https://threatpost.com/windows-10-privilege-escalation-zero-day-unofficial-fix/176313/
Related news
- Windows 10 KB5046613 update released with fixes for printer bugs (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- How a Windows zero-day was exploited in the wild for months (CVE-2024-43451) (source)
- Microsoft just killed the Windows 10 Beta Channel again (source)
- Microsoft just killed the Windows 10 Beta Channel for good (source)
- Microsoft pulls WinAppSDK update breaking Windows 10 app uninstalls (source)
- Windows 10 KB5046714 update fixes bug preventing app uninstalls (source)
- New Windows 10 0x80073CFA fix requires installing WinAppSDK 3 times (source)
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
- RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks (source)