A security researcher found a failure of zero-day on an emergency operating system version security update Windows 10, 11, and Server 2022. The previous loophole allowed installers to be used to transmit malware (the BazaarLoader), and give the infiltrator computer administrator privileges. Microsoft claimed to have fixed it a week ago, however, it doesn't seem to have fixed that well.

titled CVE-2021-41379, to "Vulnerability Installer Elevation of Privilege" could be used by cybercriminals in scams that use malicious programs to take full control of targets. This way, they could steal data, delete accounts or even gain lateral access to other machines on the network.


Abdelhamid Naceri, the researcher who found the flaw, stumbled upon the loophole after taking a closer look at the patch provided by Microsoft to fix the problem. He then demonstrated a proof-of-concept on GitHub of a program that could easily bypass the new measures offered by the security update.

“This variant was discovered during the analysis of patch CVE-2021-41379. The bug was not corrected correctly, however, keeping the loophole”, explains Naceri in the document. "I decided to show this variant as it is more powerful than the original."

Zero-day failure was driven by… poor pay

The researcher explains that he decided to expose the zero-day crash after the Windows security fix out of sheer financial frustration. That's because Microsoft has been remunerating white-hat hackers for flaw discoveries — which perhaps even makes it look like crime pays.

“Microsoft's rewards have been getting worse since April 2020, and I really wouldn't do that if MSFT didn't make the decision to lower these rewards,” Naceri laments to BleepingComputer.

A Microsoft representative responded that the company "is aware of the disclosure" and will do what is necessary to keep customers safe and secure. “An attacker using the methods described should already have access and the ability to run code on a victim's machine,” he says.

Finally, Abdelhamid Naceri clarifies that it is best to wait for an automatic Windows security patch, since manually downloading the file can break the Windows Installer itself. “So, you better wait and see how Microsoft messes up the patch again,” he concludes.

Image: worldly/shutterstock

Read more:

Have you watched our new videos on YouTube do Olhar Digital? Subscribe to the channel!