Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researcher Shows Windows Flaw More Serious After Microsoft Releases Incomplete Patch

A researcher has discovered that a Windows vulnerability for which Microsoft released an incomplete patch in August is more serious than initially believed.

A researcher has discovered that a Windows vulnerability for which Microsoft released an incomplete patch in August is more serious than initially believed.

Tracked as CVE-2021-34484, the bug is described by Microsoft as a Windows User Profile Service elevation of privilege, and requires local, authenticated access for exploitation. All versions of Windows, including Windows Server, are affected.

The security error resides in the User Profile Service, affecting code designed for creating a temporary user profile folder when the original profile folder is damaged.

Microsoft’s incomplete patch for the issue could be easily bypassed with only a small change in the attacker script, security researcher Abdelhamid Naceri, who discovered the vulnerability, found out.

The security error appears to have a greater impact than Microsoft’s initial assessment of it, as it could allow an attacker logged in as a regular user to execute code with System privileges.

The researcher discovered it was possible to use symbolic links to target the process of copying folders and files from the original profile folder to the temporary folder, which allows an attacker to create attacker-writable folders within a system location, and then use them to launch system processes to execute code.

Microsoft’s fix checked whether a symbolic link was used for the destination folder, and aborted the operation if so. However, the incomplete fix would only check for the symbolic link in the uppermost folder, but not in other folders along the destination path.

An attacker looking to exploit the vulnerability needs to win a race condition and possibly to obtain additional user credentials than the ones they are logged-on with, but they would have an unlimited number of attempts to successfully complete an attack.

A new CVE identifier, CVE-2021-33742, was issued for the flaw, and it is considered a zero-day, given that technical information, along with proof-of-concept (POC) code, have been public since October 22.

ACROS Security’s 0patch service has released an unofficial fix, which extends the security check to the entire destination path of the temporary folder, and aborts the creation of a temporary user profile if any symbolic links are present.

The 0patch fix is available for free until Microsoft releases an official patch for the vulnerability.

Related: Third-Party Patches Available for More PetitPotam Attack Vectors

Related: Microsoft Patch Tuesday: Windows Flaw Under Active Attack

Related: Vendor Ships Unofficial Patch for IE Zero-Day Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.