CVE-2021-41379: Zero-day vulnerability with no patch in Windows 11, Windows 10 and Windows Server 2022

Cybersecurity specialists report the publication of an exploit for a critical zero-day vulnerability affecting Windows 10, Windows 11 and Windows Server systems. Described as a local privilege escalation, the flaw can be exploited to open the system prompt with SYSTEM privileges from a least-privilege account.

Successful exploitation of the vulnerability would allow threat actors to obtain high privileges on affected systems relatively easily, eventually allowing them to move through the compromised network. According to the report, the flaw lies in all versions of the affected systems.

Tracked as CVE-2021-41379, the flaw was addressed by Microsoft in its latest security patch after researcher Abdelhamid Naceri submitted a report on this bug. Naceri himself subsequently reported a method to evade the fix implemented by Microsoft, leading to an even more dangerous privilege escalation scenario.

A few days ago, Naceri published a new version of its proof of concept (PoC) exploit, mentioning that the vulnerability was not corrected correctly, creating a new attack risk: “I have decided to reveal this variant of PoC, as it is more powerful than the original exploit.”

The researcher also explains that while it is possible to configure group policies to restrict access to MSI installation operations for non-privileged users, the exploit can evade this policy and achieve system compromise. A group of experts tested the Naceri exploit, achieving system compromise in a matter of minutes.

Naceri argues that he disclosed this new version of the exploit after the frustration generated by Microsoft’s rewards program: “Microsoft’s rewards have been very bad since April 2020; the community wouldn’t make these kinds of decisions if Microsoft took its rewards seriously.” The researcher concluded by mentioning that, having been able to earn up to $10,000 USD, he received a payment of only $1,000 USD.

Microsoft has not commented on these reports, although the cybersecurity community expects the company to release the full patches in its next updates. Naceri also recommends that administrators not fix this flaw by patching the binary, as this could break the installer.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.