Home Cyber Crime Microsoft shares workarounds for new Windows 10 zero-day bug

Microsoft shares workarounds for new Windows 10 zero-day bug


Microsoft shares workarounds for new Windows 10 zero-day bug

Microsoft has shared workarounds for a Home windows 10 zero-day vulnerability that may let attackers acquire admin rights on weak methods and execute arbitrary code with SYSTEM privileges.

As BleepingComputer previously reported, an area elevation of privilege bug in just lately launched Home windows variations permits customers with low privileges to entry delicate Registry database information.

Impacts Home windows 10 variations launched since 2018

The safety flaw, publicly disclosed by safety researcher Jonas Lykkegaard on Twitter and but to obtain an official patch, is now tracked by Microsoft as CVE-2021-36934.

“An elevation of privilege vulnerability exists due to overly permissive Entry Management Lists (ACLs) on a number of system information, together with the Safety Accounts Supervisor (SAM) database,” Microsoft explains in a safety advisory printed on Tuesday night.

“An attacker may then set up packages; view, change, or delete knowledge; or create new accounts with full consumer rights. An attacker should have the power to execute code on a sufferer system to use this vulnerability.”

As Microsoft additional revealed, this zero-day vulnerability impacts Home windows releases since October 2018, beginning with Home windows 10, model 1809. 

Lykkegaard additionally discovered that Home windows 11 (Microsoft’s not but formally launched OS) can also be impacted.

Workarounds now out there

The databases uncovered to consumer entry by this bug (i.e., SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE) are saved underneath the C:Windowssystem32config folder.

Mimikatz creator Benjamin Delpy instructed BleepingComputer that anybody may simply reap the benefits of the inaccurate file permissions to steal an elevated account’s NTLM hashed password and acquire greater privileges through a pass-the-hash assault.

Whereas attackers cannot straight entry the databases on account of entry violations triggered by the information all the time being in use by the OS, they’ll entry them via shadow quantity copies.

Microsoft recommends limiting entry to the problematic folder AND deleting Quantity Shadow Copy Service (VSS) shadow copies to mitigate this situation.

Customers ought to be conscious that eradicating shadow copies from their methods may impression system and file restore operations, corresponding to restoring knowledge utilizing third-party backup apps.

These are the steps wanted to dam exploitation of this vulnerability quickly:

Prohibit entry to the contents of %windirpercentsystem32config:

  1. Open Command Immediate or Home windows PowerShell as an administrator.

  2. Run this command: icacls %windirpercentsystem32config*.* /inheritance:e

Delete Quantity Shadow Copy Service (VSS) shadow copies:

  1. Delete any System Restore factors and Shadow volumes that existed previous to limiting entry to %windirpercentsystem32config.

  2. Create a brand new System Restore level (if desired).

Microsoft remains to be investigating the vulnerability and is engaged on a patch that can most certainly be launched as an out-of-band safety replace later this week. 

Source link