Facepalm: Since last summer, a potentially dangerous vulnerability affecting all currently-supported versions of Windows has eluded Microsoft’s security team. So far, Redmond developers have failed to fix it twice. This week an outside group released its own patch for the second time.
Third-party platform 0patch has released its second fix for a local privilege escalation vulnerability after Microsoft’s latest attempt at mitigation broke the group’s first patch. The latest version works for the March 2022 editions of Windows 10 v21H1, v20H2, v1909, and Windows Server 2019. Downloading it requires a free account at 0patch’s website.
A Bug That Doesn’t Want To Die (CVE-2021-34484) – Twice Bypassed and Twice Micropatched, Will Third Time be a Charm? https://t.co/BqzFrC9P3E pic.twitter.com/VooVZILHSk
— 0patch (@0patch) March 21, 2022
The whole debacle started last August when security researcher Abdelhamid Naceri discovered a vulnerability (CVE-2021-34484) that gives attackers administrator-level privileges. It affects Windows 11, Windows 10, and Windows Server. Microsoft attempted to fix the exploit as part of August 2021 Patch Tuesday, but Naceri soon developed a proof of concept that circumvented Microsoft’s fix.
In November, 0patch stepped in with its first unofficial fix, which proved effective. However, Microsoft released a second official patch as part of January 2022 Patch Tuesday. Not only did Naceri find a way around this one, but applying it also undid 0patch’s working solution.
Developers at 0patch have now ported a new fix to versions of Windows with Microsoft’s latest updates. The group says its first patch still protects Windows versions that no longer receive official support—like Windows 10 v1803, v1809, and v2004.