Windows Zero-Day Allows Admin Escalation, Exploit PoC is Public

A recent disclosure of a Windows-based zero-day flaw means that attackers could go for local privilege escalation in Windows 10, Windows 11, and Windows Server, potentially becoming an Admin.

This is a case of an enhanced vulnerability, as it bypasses a patch that Microsoft had already issued. An independent security researcher and a bug bounty hunter, Abdelhamid Naceri, found that recent patch vulnerable. Thus the workaround enhances the issue that was originally tracked as CVE-2021-41379. A working proof-of-concept exploit was publicly released by Naceri, making this matter actively perilous. Naceri decided to release the PoC publicly after seeing decreases in bounties for impactful bugs. In some people's experiences, a bounty was cut tenfold.

Advice from X-Force is in line with the current situation, and linked with MITRE ATT&CK mitigations as follows:

• Any attempt to patch the binary directly may break windows installer. Do not attempt to fix the vulnerability and prioritize waiting until a new patch is issued.
• Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts (M1018).
• Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out (M1036).
• Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. (M1056).
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior (M1040).

You can get rolling updates from X-Force here: https://exchange.xforce.ibmcloud.com/collection/Windows-Zero-Day-Allows-Admin-Escalation-6b0dee811f13a7b738bd86fe3fde6ee5