The Windows Security Vulnerability (CVE-2021-24084) which allows disclosure and Local Privilege Escalation (LPE) on vulnerable systems has received a follow up patch after the last patch failed to solve the problem.
But as observed by Naceri in June 2021, not only could the patch be bypassed to achieve the same objective, the researcher this month found that the incompletely patched vulnerability could also be exploited to gain administrator privileges and run malicious code on Windows 10 machines running the latest security updates.
It should be noted that accomplishing local privilege escalation happens only under specific circumstances such as when the system protection feature is enabled on C:Drive and at least one local administrator account is set up on the computer.
Neither Windows Servers nor systems running Windows 11 are affected by the vulnerability, but the following Windows 10 versions are impacted —
Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates
Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates
Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates
Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates
Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates
Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates
This vulnerability is also the third zero-day Windows vulnerability which has occured as a consequence of an incomplete patch issued by Microsoft. Unofficial fixes was first released by 0patch for a local privilege escalation vulnerability (CVE-2021-34484) in the Windows User Profile Service that enables attackers gain SYSTEM privileges.
CVE-2021-24084 is also the third zero-day Windows vulnerability to rear its head again as a consequence of an incomplete patch issued by Microsoft. Earlier this month, 0patch shipped unofficial fixes for a local privilege escalation vulnerability (CVE-2021-34484) in the Windows User Profile Service that enables attackers to gain SYSTEM privileges.
Then last week, Naceri disclosed details of another zero-day flaw in the Microsoft Windows Installer service (CVE-2021-41379) that could be bypassed to achieve elevated privileges on devices running the latest Windows versions, including Windows 10, Windows 11, and Windows Server 2022.