There is a new patch for Windows 10, but it is not from Microsoft

April 2023 · 2 minute read

Bugs are common, and Microsoft usually addresses such in their Patch Tuesday. Still, it seems this particular bug has been unaddressed for a while, such that cybersecurity researchers felt the need to release one.

Originally discovered in 2020, the bug had the potential to take the form of a local privilege vulnerability, but it has been overlooked since then.

Mitja Kolsek, the founder of the 0patch micro patching service, also ignored the vulnerability since it wasn’t critical enough at the time.

Escalation

Currently tracked as CVE-2021-24084, Kolsek details that on a fixed Windows privilege escalation vulnerability tracked as CVE 2021-36934. Under specific conditions, it can have an arbitrary file disclosure and be upgraded for local privilege escalation.

Bug upgrade

Back in November, when the bug was still unpatched, Abdelhamid pointed out in his Twitter that it could be a local privilege escalation vulnerability rather than an information disclosure issue.

Kolsek later confirmed this by using a procedure outlined in a blog post by Raj Chandel and explains why the need arose to patch the bug.

Although the patch is unofficial, it will work on all affected versions of Windows 10. What’s even better is that it will be free of charge until such time that Microsoft releases the official fix.

Have you encountered the nasty bug, and will you be using the unofficial patch? Let us know in the comment section below.

ncG1vNJzZmivmaOxsMPSq5ypp6Kpe6S7zGiroZ2imnqqv4yaZKedp2K9osDCoWSfp6JixKq6w6iurGVhZXqjwdNmoK1lmah6r7vTZp2rp51iuqqv0aiqqJ6kZA%3D%3D