Security News > 2021 > November > New Windows 10 zero-day gives admin rights, gets unofficial patch

Free unofficial patches have been released to protect Windows users from a local privilege escalation zero-day vulnerability in the Mobile Device Management Service impacting Windows 10, version 1809 and later.

While Microsoft has most likely also noticed Naceri's June disclosure, the company is yet to patch this LPE bug, exposing Windows 10 systems with the latest November 2021 security updates to attacks.

Unnoficial patches for all impacted Windows 10 systems.

"Windows 10 v1803 and older Windows 10 versions don't seem to be affected either. While they do have the 'Access work or school' functionality, it behaves differently and cannot be exploited this way. Windows 7 does not have the 'Access work or school' functionality at all."

This is the second Windows zero-day that received a micropatch this month after Naceri found that patches for another bug in the Windows User Profile Service could be bypassed to escalate privileges on all Windows versions, even if fully patched.

If successfully exploited, the zero-day allows attackers to gain SYSTEM privileges on up-to-date devices running the latest Windows versions, including Windows 10, Windows 11, and Windows Server 2022.

News URL

https://www.bleepingcomputer.com/news/security/new-windows-10-zero-day-gives-admin-rights-gets-unofficial-patch/