Group releases unofficial fix for Windows zero-day vulnerability – Nairobi Times

A critical Windows 10 security flaw that allows elevation of system user privileges has gained an unofficial fix by the 0patch microfix group. Microsoft was made aware of the vulnerability in October 2020, but has so far not provided an official solution.

The vulnerability, documented as CVE-2021-24084, was discovered by Abdelhamid Naceri and released to the public in June 2021, nearly a year after the security researcher notified Microsoft of its existence. At the time, Naceri believed that the flaw only allowed low-privileged users to access documents classified for administrators.

However, a few months later, Naceri discovered that this same vulnerability could be used to elevate system users’ privileges, jeopardizing the reliability of the Windows hierarchy, particularly for businesses.

Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!

Mitja Kolsek, co-founder of 0patch, explains that the team was not initially interested in releasing an unofficial fix for the flaw, as access to documents by unprivileged users is not considered critical.

However, after seeing Naceri’s Twitter post informing him of the possibility of elevating privileges, the team decided to act.

I mean this is still unpatched and allow LPE if shadow volume copies are enabled; But I noticed that it doesn’t work on windows 11 https://t.co/HJcZ6ew8PO

— Abdelhamid Naceri (@KLINIX5) November 15, 2021

For Kolsek, the flaw works similar to CVE 2021-36934, currently corrected by Microsoft, which allowed, based on specific conditions, that a document accessed by unprivileged users could be abused to elevate the credentials of system accounts.

The unofficial fix is ​​freely available from the 0path website and will continue to be downloadable until Microsoft officially fixes the vulnerability. It can be applied on the following versions of Windows 10:

• Windows 10 v21H1 (32 & 64 bit) with November 2021 updates;
• Windows 10 v20H2 (32 & 64 bit) with November 2021 updates;
• Windows 10 v2004 (32 & 64 bit) with November 2021 updates;
• Windows 10 v1909 (32 & 64 bit) with November 2021 updates;
• Windows 10 v1903 (32 & 64 bit) with November 2021 updates;
• Windows 10 v1809 (32 & 64 bit) with May 2021 updates.

Windows has had other unofficial fixes

Unofficial fixes for Windows crashes are nothing new. The same 0patch group, in early November, released a fix for the Windows bug CVE-2021-34484, which affected several versions of Windows 10.

Generally, unofficial fixes are developed with the help of bug studies. Both in the case corrected on Friday (26) and in the case earlier this month, 0patch had the help of Naceri, also responsible for identifying the fault CVE-2021-34484,