A new Windows Zero-Day vulnerability has been discovered that allows the user to elevate from low-level privileges to system admin privileges in Windows 10, Windows 11, and Windows Server.
And the reason we know about it is because of what white hat hackers call shrinking bug bounty payments from Microsoft.
Security researcher Abdelhamid Naceri was looking into a recent Microsoft patch known as CVE-2021-41379 when he found a workaround to the patch and a more powerful vulnerability. He published a working proof-of-concept to GitHub and explained his process:
"This variant was discovered during the analysis of CVE-2021-41379 patch. The bug was not fixed correctly, however, instead of dropping the bypass, I have chosen to actually drop this variant as it is more powerful than the original one.
I have also made sure that the proof of concept is extremely reliable and doesn't require anything, so it works in every attempt. The proof of concept overwrite Microsoft Edge elevation service DACL and copy itself to the service location and execute it to gain elevated privileges.
While this technique may not work on every installation, because Windows installations such as server 2016 and 2019 may not have the elevation service. I deliberately left the code which take over file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn't be in use. So you can elevate your privileges yourself."
He also advises end-users to wait for Microsoft to patch the vulnerability:
"The best workaround available at the time of writing this is to wait on Microsoft to release a security patch, due to the complexity of this vulnerability. Any attempt to patch the binary directly will break Windows installer. So you better wait and see how Microsoft will screw the patch again."
Security researchers frustrated with Microsoft bug bounties
Naceri told BleepingComputer why he choose to publicly disclose the Zero-Day vulnerability, and he says the answer is quite simple. He has grown increasingly frustrated with Microsoft's bug bounty payouts, saying they have been "trashed" since April of last year.
And he's not the only one. Other security researchers have taken to Twitter to share their frustrations:
Some have gone on the Reddit thread r/hacking to discuss their disappointing experiences with the Microsoft bug bounty program. One user shared this:
Bug bounty programs: how do they work?
Listen to our podcast interview with Brian Gorenc, Director of the Zero Day Initiative:
[RESOURCE] Attend any upcoming SecureWorld Remote Sessions webcast to learn from industry experts on a wide range of security topics.
