there is a new zero-day issue In Windows, and this time the bug has been revealed to the public by an angry security researcher. NS vulnerability Pertains to users taking advantage of the Command Prompt with unauthorized system privileges to share dangerous content through the network.
according to a report of bleeding computer, Security researcher Abdelhamid Naseri, who uncovered this bug, is disappointed with Microsoft over payment from the bug bounty program. The bounties have apparently been reduced significantly over the past two years. Naceri is not alone. a twitter user Reported in 2020 that zero-day vulnerabilities no longer pay $10,000 and are now worth $1,000. Earlier this month, another twitter user It was told that the prizes can be reduced at any time.
Microsoft apparently fixed a zero-day issue with the latest round of “Patch Tuesday” updates, but another unpublished and incorrectly fixed one. Naceri bypassed the patch and found a more powerful version. The zero-day vulnerability affects all supported versions of Windows, including Windows 8.1, Windows 10, and Windows 11.
“This variant was discovered during the analysis of the CVE-2021-41379 patch. However, the bug was not fixed, instead the bypass was dropped. I actually chose to skip this version because it is more powerful than the original version,” explained Nasseri github post,
Their proof of concept is on GitHub, and Bleeping Computer tested the exploit and ran it. According to the publication, it is also being exploited in the wild with malware.
A Microsoft spokesperson said in a statement that it will do whatever is necessary to keep its customers safe and secure. The company also mentioned that it is aware of the disclosure of the latest zero-day vulnerability. It mentions that attackers must already have access and the ability to run code on the target victim’s machine to work.
With the Thanksgiving holiday in the US, and the fact that a hacker would need physical access to a PC, it could take a while until a patch is released. Microsoft usually releases fixes on the second Tuesday of each month, known as “Patch Tuesday.” It also tests bug fixes with Windows Insider first. A fix can come by 14 December.