This is the second time a third-party patcher has stepped in to fix the same Windows security issue
Windows local privilege escalation zero-day vulnerability, has a new unofficial fix, again.
A locally exploited Microsoft vulnerability (CVE-2021-34484) has been unofficially fixed by net heroes 0patch. Again. Found several months ago in the Windows User Profile Service, 0patch has done what Microsoft was seemingly unable to do, nullifying the privilege escalation zero-day vulnerability that had been leaving Windows 10, Windows 11, and Windows Server users open to hackers.
When Microsoft failed to fix the bug before, its patch actually ended up breaking 0patch's previous unofficial patch. There's a lot of to-ing and fro-ing between coders of different creeds, then, which really isn't helping. Here's how it played out:
Discovered and reported by Abdelhamid Naceri, the vulnerability scored a whopping 7.8 on the CVSS v3 danger scale, although we can't find any reports of the vulnerability having been exploited.
Still, the potential for local attackers to gain admin rights has been very real, and Bleeping Computer notes that, since mid 2021, the vulnerability had been marked as solved several times, despite the vulnerability still existing.
Back in August 2021, just after the vulnerability first came in to view, Naceri noticed the door was left ajar. Microsoft's official patch only partially fixed the issue, so Naceri sent a PoC (proof of concept) to prove it was still possible to bypass the patch on any version of Windows.
Best gaming PC: The top pre-built machines from the pros
Best gaming laptop: Perfect notebooks for mobile gaming
That's when 0patch appeared with its first unofficial profext.dll patch, which held the fort for a while, until Microsoft tried again in January 2022, marking the bug as fixed. Naceri quickly found a way to get around it, though, and it turned out Microsoft's fix replaced the file 0patch had added the working patch to.
0patch has now ported the fix for the latest Microsoft patch Tuesday update, so as long as you have a free 0patch Central account, you should be able to get the micro-patch, and undo the foibles of our most beloved Microsoft.
The biggest gaming news, reviews and hardware deals
Keep up to date with the most important stories and the best deals, as picked by the PC Gamer team.
For it's part, Microsoft has responded to Bleeping Computer with an acknowledgement that "we're aware of this report and will take action as needed to protect customers."
Screw sports, Katie would rather watch Intel, AMD and Nvidia go at it. Having been obsessed with computers and graphics for three long decades, she took Game Art and Design up to Masters level at uni, and has been rambling about games, tech and science—rather sarcastically—for four years since. She can be found admiring technological advancements, scrambling for scintillating Raspberry Pi projects, preaching cybersecurity awareness, sighing over semiconductors, and gawping at the latest GPU upgrades. Right now she's waiting patiently for her chance to upload her consciousness into the cloud.