A Windows local privilege escalation zero-day vulnerability that Microsoft has failed to fully address for several months now, allows users to gain administrative privileges in Windows 10, Windows 11, and Windows Server.
The locally exploited vulnerability in Windows User Profile Service is tracked as CVE-2021-34484 and was given a CVSS v3 score of 7.8. While exploits have been publicly disclosed in the past, they are not believed to be actively exploited in the wild.
The peculiarity of this case lies in the fact that Microsoft has been unable to address the flaw since its discovery last summer and that it has marked the bug as fixed twice.
According to the 0patch team, which has been unofficially providing fixes for discontinued Windows versions and some vulnerabilities that Microsoft won't address, the flaw is still a zero-day. In fact, Microsoft's patches failed to fix the bug and broke 0patch's previous unofficial patch.
The LPE that won't stay fixed
The Windows User Profile Service Elevation of Privilege Vulnerability, tracked as CVE-2021-34484, was discovered by security researcher Abdelhamid Naceri and disclosed to Microsoft, who fixed it as part of the August 2021 Patch Tuesday.
Soon after the fix was released, Naceri noticed that Microsoft’s patch was incomplete and p ..
Support the originator by clicking the read the rest link below.
