Skip to main content
  1. Home
  2. Computing

Frustrated security researcher discloses Windows zero-day bug, blames Microsoft

By

There’s a new zero-day issue in Windows, and this time the bug has been disclosed to the public by an angry security researcher. The vulnerability relates to users leveraging the command prompt with unauthorized system privileges to share dangerous content through the network.

According to a report from Bleeping Computer, Abdelhamid Naceri, the security researcher who disclosed this bug, is frustrated with Microsoft over payouts from the bug bounty program. Bounties have apparently been downgraded significantly over the past two years. Naceri isn’t alone, either. One Twitter user reported in 2020 that zero-day vulnerabilities no longer pay $10,000 and are now valued at $1,000. Earlier this month, another Twitter user reported that bounties can be reduced at any time.

Windows 11 blue error crash screen.
Microsoft

Microsoft apparently fixed a zero-day issue with the latest round of “Patch Tuesday” updates, but left another unpatched and incorrectly fixed. Naceri bypassed the patch and found a more powerful variant. The zero-day vulnerability impacts all supported versions of Windows, including Windows 8.1, Windows 10, and Windows 11.

Recommended Videos

“This variant was discovered during the analysis of CVE-2021-41379 patch. The bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one,” explained Naceri in a GitHub post.

Related

His proof of concept is on GitHub, and Bleeping Computer tested the exploit and ran it. It is also being exploited in the wild with malware, according to the publication.

In a statement, a Microsoft spokesperson said that it will do what is necessary to keep its customers safe and protected. The company also mentioned it is aware of the disclosure opf the latest zero-day vulnerability. It mentioned that attackers must already have access and the ability to run code on a target victim’s machine for it to work.

With the Thanksgiving holiday in the U.S., and the fact that a hacker would need physical access to a PC, it could be a while until a patch is released. Microsoft usually issues fixes on the second Tuesday of each month, known as “Patch Tuesday.” It also tests bug fixes with Windows Insiders first. A fix could come as soon as December 14.

Editors’ Recommendations

Topics
Arif Bacchus
Arif Bacchus
Former Digital Trends Contributor
Arif Bacchus is a native New Yorker and a fan of all things technology. Arif works as a freelance writer at Digital Trends…
Microsoft might make your PC specs easier to understand
A command in the Command Prompt in Windows 11.

Microsoft released another preview build of Windows 11 this week, and someone has noticed an interesting addition to the system settings. There is now a FAQ section beneath the device specifications list, providing handy information about the practical impacts of your specs.

https://bsky.app/profile/did:plc:lld3hsasiketetu767uagr6m/post/3lkmdy5p35s2g?ref_src=embed&ref_url=https%253A%252F%252Fwww.theverge.com%252Fnews%252F632327%252Fmicrosoft-windows-11-system-device-specs-recommendations

Read more
Microsoft is working on making it easier to talk to your PC
The Surface Pro 11 on a white table in front of a window.

Windows 11 has support for voice commands like "Open Edge" largely for accessibility purposes but with the latest Insider preview build, it's taking a step toward going full Star Trek. Instead of remembering set phrases, Microsoft wants to enable users to give commands in more natural language.

This means you can open the Edge browser with just about any intuitive phrase that expresses your intent to "open Edge." You could say "Can you open Edge?", "Open Edge please," or "Switch to the Edge app," along with other variations. If Windows happens to get confused, it will show real-time command suggestions based on what it thinks you want so you can direct it successfully.

Read more
The latest Windows 11 build has a surprising bug — it gets rid of Copilot
Copilot key on the Asus ROG Falchion HFX.

Microsoft has updated the support page for the Windows 11 build it released last week to reveal a rather amusing bug -- it seems to have caused some devices to automatically uninstall the Copilot app and unpin it from the taskbar.

At the time of writing, Microsoft is still working on a resolution to the issue spotted by Windows Latest, recommending affected users reinstall the app and pin it back to the taskbar manually. It looks like the bug can occur on any device if it updates to build KB5053598 from Windows 11 24H2, 23H2, or 22H2, along with Windows 10 22H2 or 21H2.

Read more