And virtual security is still new, even if not always positive. On Saturday (20), a researcher published the workings of a new Windows zero-day vulnerability that allows ordinary users to elevate their system privileges was discovered. The failure was detected on Windows 10, Windows 11 and Windows Server.

The vulnerability was discovered by Abdelhamid Naceri while reviewing the fix released by Microsoft for the CVE-2021-41379 bug, which already allowed elevation of privilege. The researcher claims that the loophole works even on systems where the previous fix was applied, from Windows installation operations (MSI).

Through the use of this vulnerability, users with standard access privileges could gain system privileges, making it possible for malicious agents to spread their threats across the entire device.

Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!

On Saturday (20), Naceri posted the proof-of-concept of the zero-day vulnerability on GitHub. The researcher points out that, even though on Windows Server it is possible to apply settings that prevent users with standard privileges from performing MSI operations, the discovery manages to break this setting and allows any account on the system to perform them.

Finally, Naceri claims that the discovery is more impactful and powerful than CVE-2021-41379, and warns users not to try to fix the flaw, as any error could compromise Windows installation operations.

For now, Microsoft has not taken a position or announced a fix for the issue.

Zero-day vulnerability with Naceri

Researcher Abdelhamid Naceri was recently in the security news for using a report he authored as the basis for an unofficial fix for another Windows flaw, developed by the 0patch group. The vulnerability in question also allowed escalation of user privileges.

Naceri also claims that he only made the proof-of-concept available on GitHub because of his dissatisfaction with the current award Microsoft is paying for those who discover and report system failures to the company.

Under Microsoft’s new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 💀 — MalwareTech (@MalwareTechBlog) July 27, 2020

Recently, reports from programmers on Twitter indicated that the company founded by Bill Gates was lowering its combined rewards from $10,000 to $1,000, making many of these experts uneasy. Naceri, from his statement in his post on GitHub, is one of them.