Microsoft could not patch this vulnerability yet again

THREAT LEVEL: Amber.

For a detailed advisory, download the pdf file here.

An improperly patched Windows vulnerability (CVE-2021-24084) can lead to local privilege escalation and information disclosure. The vulnerability was disclosed in October 2020 and even after Microsoft addressed this vulnerability in February 2021’s Patch Tuesday, a researcher was able to exploit the patched vulnerability making it another zero-day made by improper patching.

CVE-2021-24084 was an information disclosure vulnerability in the Windows Mobile Device Management component but later it was discovered that it could be exploited for local privilege escalation that allows an attacker to gain admin privilege and reading arbitrary files even if they don’t have the permissions to do so. All the versions of Windows 10 even after the November patch are affected by this vulnerability.

After examining Microsoft’s fix, Abdelhamid Naceri, the security researcher who discovered this vulnerability, discovered a bypass of the patch as well as a more powerful new zero-day privilege elevation vulnerability. He also made the proof-of-concept available to the public.

An unofficial micro patch has been released by 0patch and will be available for free until Microsoft releases an official patch for the vulnerability.