Frustrated security researcher discloses Windows zero-day bug, blames Microsoft

By Arif Bacchus Published November 24, 2021

There’s a new zero-day issue in Windows, and this time the bug has been disclosed to the public by an angry security researcher. The vulnerability relates to users leveraging the command prompt with unauthorized system privileges to share dangerous content through the network.

According to a report from Bleeping Computer, Abdelhamid Naceri, the security researcher who disclosed this bug, is frustrated with Microsoft over payouts from the bug bounty program. Bounties have apparently been downgraded significantly over the past two years. Naceri isn’t alone, either. One Twitter user reported in 2020 that zero-day vulnerabilities no longer pay $10,000 and are now valued at $1,000. Earlier this month, another Twitter user reported that bounties can be reduced at any time.

Windows 11 blue error crash screen. — Microsoft

Microsoft apparently fixed a zero-day issue with the latest round of “Patch Tuesday” updates, but left another unpatched and incorrectly fixed. Naceri bypassed the patch and found a more powerful variant. The zero-day vulnerability impacts all supported versions of Windows, including Windows 8.1, Windows 10, and Windows 11.

Recommended Videos

“This variant was discovered during the analysis of CVE-2021-41379 patch. The bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one,” explained Naceri in a GitHub post.

His proof of concept is on GitHub, and Bleeping Computer tested the exploit and ran it. It is also being exploited in the wild with malware, according to the publication.

In a statement, a Microsoft spokesperson said that it will do what is necessary to keep its customers safe and protected. The company also mentioned it is aware of the disclosure opf the latest zero-day vulnerability. It mentioned that attackers must already have access and the ability to run code on a target victim’s machine for it to work.

With the Thanksgiving holiday in the U.S., and the fact that a hacker would need physical access to a PC, it could be a while until a patch is released. Microsoft usually issues fixes on the second Tuesday of each month, known as “Patch Tuesday.” It also tests bug fixes with Windows Insiders first. A fix could come as soon as December 14.

Topics

Former Digital Trends Contributor

Arif Bacchus is a native New Yorker and a fan of all things technology. Arif works as a freelance writer at Digital Trends…

Computing

Microsoft sign-in gets redesign and, more importantly, dark mode

microsoft dark mode sign in.

Microsoft is rolling out a new authentication process for services like Outlook, Xbox, Windows, and Microsoft 365. The practical aim is to focus more on passwordless logins and the visual aim is apparently to step back from "product-centric" design and lean into "Microsoft-centric design" (whatever that means).

Passwordless login refers to other forms of authentication, namely face ID, fingerprint ID, or PIN -- sometimes collectively referred to as passkeys. Although a PIN is still a set of numbers or letters that you type in to get access to your accounts, they're safer than passwords thanks to the way they're stored. Instead of information being transmitted to and stored on servers that bad actors are constantly trying to break into, your PIN is kept securely stored on your device.

Computing

Microsoft is working on something new, but it’s probably not Windows 12

The Surface Pro 11 on a white table in front of a window.

Microsoft appears to be working on a new major update, but if you're hoping for Windows 12, I wouldn't hold my breath. The company has confirmed that it's testing new content via the Insider program in the Dev Channel, and those changes might lead to a patch that's set to be released later this year. However, we're most likely looking at the successor to the current 24H2 build -- namely Windows 11 25H2 -- and not a whole new operating system.

This was first spotted by Windows Central. The publication cites its own sources as it claims that Microsoft is backporting some platform changes to offer better support for Qualcomm's upcoming Snapdragon X2 chip. Those changes will allow devices that house that chip to run Germanium-based Windows 11. Germanium refers to the platform release that the current Windows 11 build is built on, and it looks like the upcoming 25H2 build might also be based on Germanium -- but nothing is fully clear at this point.

Computing

Microsoft warns users Windows 10 support ends soon, these are your options

Windows 11 and Windows 10 operating system logos are displayed on laptop screens.

Many were hoping that Windows 10 might still get another lease on life, but alas -- that doesn't seem to be the case. Microsoft has just started sending out emails to users who are still running Windows 10, and those emails make it quite clear that the end-of-life (EOL) period of the beloved operating system is coming to an end. Microsoft's advice? Upgrade to Windows 11 ASAP.

Windows Latest received an email from Microsoft, titled: "End of support for Windows -- what you need to know." This message was likely sent out to many more users, and may keep popping into people's mailboxes as Microsoft keeps rolling out the alert.