A recent report details the steps to exploit a zero-day vulnerability in Windows systems whose exploitation would allow threat actors to escalate their privileges to system user under certain conditions. While this is a critical vulnerability, exploitation would require threat actors to know the username and password of two different users, making an attack very difficult in the wild.

In August, Microsoft released an update to address a vulnerability tracked as CVE-2021-34484, described as an escalation of profile service privileges on Windows systems. Abdelhamid Naceri, a researcher who reported the flaw, analyzed the Microsoft patch and found that this mechanism was insufficient to mitigate the risk of exploitation, and demonstrated an evasion method that he published on GitHub.

According to the expert, Microsoft did not address the error it presented in its report, but only contained the impact of a proof of concept (PoC): “The company only addressed a symptom, or the real cause; the vulnerability of privilege escalation is still present.”

Subsequently, vulnerability analysis specialist Will Dormann tested the flaw and found that the attack could not always be successfully completed.

The researcher mentions that the fact that threat actors require knowing the credentials of two different users complicates the exploitation of the flaw in real scenarios. However, the vulnerability exists in all versions of Windows, including Windows 10, Windows 11 and Windows Server 2022, so the risk should not be dismissed by system administrators.

Several members of the cybersecurity community have tried to contact Microsoft to know the official position of the company on this vulnerability, although so far they have not received any response. Many believe that, due to the difficulty of exploitation, the company might not release security patches to address this flaw.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post CVE-2021-34484: Zero-day vulnerability affects billions of Windows users. No patch available appeared first on Information Security Newspaper | Hacking News.

source

You May Also Like

Critical vulnerabilities in Opera web browser code; update now

Opera’s security teams revealed detection of six critical vulnerabilities residing in Privoxy,…

Two critical vulnerabilities affect millions of FreeRDP servers. Patch them before someone installs a backdoor

Cybersecurity specialists report the detection of two severe vulnerabilities in the popular…

3 Critical Vulnerabilities In Lenovo Laptops’ UEFI  (70 Models Including Thinkbook) Allow Them To Be Hacked Forever, Even After Removing The Hard Drive

Lenovo released security fixes to address three vulnerabilities that reside in the…