Home>Blog>The Hacker News Headlines>Unpatched Unauthorized File Read Vulnerability Affects Microsoft Windows OS
The Hacker News Headlines

Unpatched Unauthorized File Read Vulnerability Affects Microsoft Windows OS

Microsoft Windows 10

Unofficial patches have been issued to remediate an improperly
patched Windows security vulnerability that could allow information
disclosure and local privilege escalation (LPE) on vulnerable
systems.

Tracked as CVE-2021-24084[1]
(CVSS score: 5.5), the flaw concerns an information disclosure
vulnerability in the Windows Mobile Device Management component
that could enable an attacker to gain unauthorized file system
access and read arbitrary files.

Security researcher Abdelhamid Naceri was credited with
discovering and reporting the bug in October 2020, prompting
Microsoft to address the issue as part of its February 2021 Patch
Tuesday updates.

Automatic GitHub Backups

But as observed[2]
by Naceri in June 2021, not only could the patch be bypassed to
achieve the same objective, the researcher this month found that
the incompletely patched vulnerability could also be exploited[3]
to gain administrator privileges and run malicious code on Windows
10 machines running the latest security updates[4].

Microsoft Windows 10

“Namely, as HiveNightmare/SeriousSAM[5] has taught us, an
arbitrary file disclosure can be upgraded to local privilege
escalation if you know which files to take and what to do with
them,” 0patch co-found Mitja Kolsek said[6]
in a post last week.

However, it’s worth noting that the vulnerability can be
exploited to accomplish privilege escalation only under specific
circumstances, namely when the system protection feature is enabled
on C: Drive and at least one local administrator account is set up
on the computer.

Neither Windows Servers nor systems running Windows 11 are
affected by the vulnerability, but the following Windows 10
versions are impacted —

  • Windows 10 v21H1 (32 & 64 bit) updated with November 2021
    Updates
  • Windows 10 v20H2 (32 & 64 bit) updated with November 2021
    Updates
  • Windows 10 v2004 (32 & 64 bit) updated with November 2021
    Updates
  • Windows 10 v1909 (32 & 64 bit) updated with November 2021
    Updates
  • Windows 10 v1903 (32 & 64 bit) updated with November 2021
    Updates
  • Windows 10 v1809 (32 & 64 bit) updated with May 2021
    Updates

Prevent Data Breaches

CVE-2021-24084 is also the third zero-day Windows vulnerability
to rear its head again as a consequence of an incomplete patch
issued by Microsoft. Earlier this month, 0patch shipped[7]
unofficial fixes for a local privilege escalation vulnerability
(CVE-2021-34484[8]) in the Windows User
Profile Service that enables attackers to gain SYSTEM
privileges.

Then last week, Naceri disclosed details of another zero-day
flaw in the Microsoft Windows Installer service (CVE-2021-41379[9]) that could be bypassed
to achieve elevated privileges on devices running the latest
Windows versions, including Windows 10, Windows 11, and Windows
Server 2022.

References

  1. ^
    CVE-2021-24084
    (msrc.microsoft.com)
  2. ^
    observed
    (halove23.blogspot.com)
  3. ^
    exploited
    (twitter.com)
  4. ^
    latest
    security updates     (thehackernews.com)
  5. ^
    HiveNightmare/SeriousSAM
    (thehackernews.com)
  6. ^
    said
    (blog.0patch.com)
  7. ^
    shipped
    (blog.0patch.com)
  8. ^
    CVE-2021-34484
    (msrc.microsoft.com)
  9. ^
    CVE-2021-41379
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.