Security News > 2021 > November > Windows 10 Privilege-Escalation Zero-Day Gets an Unofficial Fix
A partially unpatched security bug in Windows that could allow local privilege escalation from a regular user to System remains unaddressed fully by Microsoft - but an unofficial micropatch from oPatch has hit the scene.
"The vulnerability lies in the User Profile Service, specifically in the code responsible for creating a temporary user profile folder in case the user's original profile folder is damaged or locked for some reason," explained 0Patch's Mitja Kolsek in a Thursday writeup.
The exploit is straightforward: An attacker would create a specially crafted symbolic link, then would need to save it in the temporary user profile folder.
When the User Profile Service copies a folder from user's original profile folder as described by Kolsek, the symbolic link will force it to create a folder containing a malicious library payload somewhere else where the attacker would normally not have permissions to create one.
"Microsoft, even though believing the vulnerability only allowed for deletion of an arbitrarily 'symlinked' folder, made a conceptually correct fix: it checked whether the destination folder under C:UsersTEMP was a symbolic link, and aborted the operation if so," explained Kolsek.
"The incompleteness of this fix, as noticed by Abdelhamid, was in the fact that the symbolic link need not be in the upper-most folder, but in any folder along the destination path."
News URL
https://threatpost.com/windows-10-privilege-escalation-zero-day-unofficial-fix/176313/
Related news
- “Perfect” Windows downgrade attack turns fixed vulnerabilities into zero-days (source)
- Windows 10 KB5041580 update released with 14 fixes, security updates (source)
- New Windows SmartScreen bypass exploited as zero-day since March (source)
- Windows driver zero-day exploited by Lazarus hackers to install rootkit (source)
- New Windows 10 22H2 beta fixes memory leaks and crashes (source)
- Windows 10 KB5041582 update released with 5 changes and fixes (source)
- Microsoft fixes Windows Smart App Control zero-day exploited since 2018 (source)
- Windows 10 KB5043064 update released with 6 fixes, security updates (source)
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack (source)
- Windows vulnerability abused braille “spaces” in zero-day attacks (source)