There is a new zero-day problem in Windows and this time the bug has been made public by an angry security researcher. The vulnerability affects users who use Command Prompt with unauthorized system privileges to share dangerous content over the network.
According to a report by Bleeping Computer, Abdelhamid Naceri, the security researcher who revealed this bug, is frustrated with Microsoft over payouts from the bug bounty program. Premiums have apparently been reduced significantly over the past two years. Naceri isn’t alone either. One Twitter user reported in 2020 that zero-day vulnerabilities no longer pay $10,000 and are now valued at $1,000. Earlier this month, another Twitter user reported that premiums can be reduced at any time.
Microsoft apparently fixed a zero-day issue with the latest round of “Patch Tuesday” updates, but left another unpatched and incorrectly fixed. Naceri bypassed the patch and found a more powerful variant. The zero-day vulnerability affects all supported versions of Windows, including Windows 8.1, Windows 10, and Windows 11.
“This variant was discovered during the analysis of the CVE-2021-41379 patch. However, the bug was not properly fixed instead of dropping the bypass. I chose to actually drop this variant because it’s more powerful than the original,” explains Naceri in a GitHub post.
His proof of concept is on GitHub and Bleeping Computer has tested and executed the exploit. According to the publication, it is also exploited with malware in the wild.
In a statement, a Microsoft spokesperson said it will do whatever it takes to keep its customers safe and protected. The company also said it is aware of the disclosure of the latest zero-day vulnerability. It mentioned that attackers must already have access and the ability to run code on a target’s computer for it to work.
With Thanksgiving in the US and the fact that a hacker needs physical access to a PC, it could be a while before a patch is released. Microsoft usually releases fixes on the second Tuesday of every month, also known as “Patch Tuesday.” It also tests bug fixes with Windows Insiders first. A solution could be found on December 14.