CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researcher Shows Windows Flaw More Serious After Microsoft Releases Incomplete Patch

A researcher has discovered that a Windows vulnerability for which Microsoft released an incomplete patch in August is more serious than initially believed.

A researcher has discovered that a Windows vulnerability for which Microsoft released an incomplete patch in August is more serious than initially believed.

Tracked as CVE-2021-34484, the bug is described by Microsoft as a Windows User Profile Service elevation of privilege, and requires local, authenticated access for exploitation. All versions of Windows, including Windows Server, are affected.

The security error resides in the User Profile Service, affecting code designed for creating a temporary user profile folder when the original profile folder is damaged.

Microsoft’s incomplete patch for the issue could be easily bypassed with only a small change in the attacker script, security researcher Abdelhamid Naceri, who discovered the vulnerability, found out.

The security error appears to have a greater impact than Microsoft’s initial assessment of it, as it could allow an attacker logged in as a regular user to execute code with System privileges.

The researcher discovered it was possible to use symbolic links to target the process of copying folders and files from the original profile folder to the temporary folder, which allows an attacker to create attacker-writable folders within a system location, and then use them to launch system processes to execute code.

Microsoft’s fix checked whether a symbolic link was used for the destination folder, and aborted the operation if so. However, the incomplete fix would only check for the symbolic link in the uppermost folder, but not in other folders along the destination path.

An attacker looking to exploit the vulnerability needs to win a race condition and possibly to obtain additional user credentials than the ones they are logged-on with, but they would have an unlimited number of attempts to successfully complete an attack.

Advertisement. Scroll to continue reading.

A new CVE identifier, CVE-2021-33742, was issued for the flaw, and it is considered a zero-day, given that technical information, along with proof-of-concept (POC) code, have been public since October 22.

ACROS Security’s 0patch service has released an unofficial fix, which extends the security check to the entire destination path of the temporary folder, and aborts the creation of a temporary user profile if any symbolic links are present.

The 0patch fix is available for free until Microsoft releases an official patch for the vulnerability.

Related: Third-Party Patches Available for More PetitPotam Attack Vectors

Related: Microsoft Patch Tuesday: Windows Flaw Under Active Attack

Related: Vendor Ships Unofficial Patch for IE Zero-Day Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.