Microsoft Issues Workaround for New Windows Vulnerability

Google Reveals Another Microsoft Vulnerability Before Its Fixed

Windows 10 versions 1809 and newer suffer from a vulnerability that can grant system privileges to hackers. Microsoft is still investigating the problem, but it has issued a workaround.

“An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database,” a Microsoft security bulletin explains. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

US-CERT provides a bit more detail.

“With a successful exploit, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to extracting and leveraging account password hashes, discovering the original Windows installation password, obtaining DPAPI computer keys, which can be used to decrypt all computer private keys, [and] obtaining a computer machine account, which can be used in a silver ticket attack.”

The good news? These possibilities require the PC to be using Volume Shadow Copy Service (VSS) shadow copies. And an attacker must have the ability to execute code on a victim system before they can exploit this vulnerability, so the system has to have been exploited some other way first.

This new vulnerability was discovered by a security researcher who described an anomaly with the SAM that allowed system access. The issue was later confirmed by Microsoft, which is still investigating and will presumably issue a fix.

For now, however, Microsoft’s security bulletin describes a workaround that involves restricting access to a particular folder and then deleting VSS shadow copies, an act that could impair future restore operations using Microsoft or third-party tools.

And if it makes you feel any better, security researchers also discovered two similar escalations of privilege vulnerabilities in Linux. You can learn more from Qualys here and here.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 13 comments

  • wright_is

    Premium Member
    21 July, 2021 - 9:00 am

    <p>The exploit doesn’t require VSS. The VSS part was that, after using the icacls command to restore the proper protection to the files, you then need to delete any VSS copies that exist on the system, to ensure that no residual copies of the files in unrestricted access form are available. If you are worried about later recovery, you can create a new VSS shadow copy after you have deleted the old ones.</p><p><br></p><p>He found the problem on Windows 11 beta and wondered whether it was a mistake on the beta, but upon checking Windows 10 installations, he discovered that it was an error that crept in earlier, probably during a recent patch.</p>

    • wright_is

      Premium Member
      21 July, 2021 - 9:02 am

      <p>VSS is usually disabled on sub 128GB drives, but if the drive/partition is over 128GB in size, Windows will automatically created a VSS shadow copy when installing patches or the user installs a new application using an .MSI installer.</p><p><br></p><p>I had 2 shadow copies on my work and private machines.</p>

  • colin79666

    Premium Member
    21 July, 2021 - 11:56 am

    <p>Microsoft needs to explain how this came about. Legacy code being found wanting in the current security climate with printing is one thing but to actually introduce such a permission flaw as part of forced feature updates is another level of concern.</p>

    • wright_is

      Premium Member
      21 July, 2021 - 12:01 pm

      <p>Probably someone disabled the protection to change something on the fly and forgot to reset the permissions before using the tool that goes through all changed files, when generating the patch package.</p>

      • hrlngrv

        Premium Member
        21 July, 2021 - 7:46 pm

        <p>If your surmise is correct, it’d still be damning about the lack of procedural checklists and controls.</p><p><br></p><p>That is, WHEN and HOW should any developer <strong><em>disable the protection to change something on the fly</em></strong> without getting approval to do so from someone else whose job is ensuring that protection would be reenabled within, say, 30 minutes.</p>

    • winner

      21 July, 2021 - 2:27 pm

      <p>Microsoft’s crack QC testing group at work again.</p><p>Oh, wait…</p>

      • hrlngrv

        Premium Member
        21 July, 2021 - 7:41 pm

        <p>Is it the Insider Program members providing so little feedback, or the Windows developers paying to little attention to it?</p>

  • mattbg

    Premium Member
    21 July, 2021 - 3:00 pm

    <p><strong style="color: rgb(0, 0, 0);">"And an attacker must have the ability to execute code on a victim system before they can exploit this vulnerability, so the system has to have been exploited some other way first."</strong></p><p><br></p><p><span style="color: rgb(0, 0, 0);">This is for sure a mitigation, but I’m not sure it should make anyone breathe easier. With the number of domestic and foreign contractors that have accounts on internal IT systems in corporations these days, being able to bypass the device controls on their own PCs or on any PCs they have non-privileged access to is a big deal.</span></p>

    • wright_is

      Premium Member
      22 July, 2021 - 12:19 am

      <p>Or the ability to send files, even Word documents or PDFs per email or messaging system, getting to execute code on the machine is comparatively easy.</p>

  • hrlngrv

    Premium Member
    21 July, 2021 - 7:40 pm

    <p>The link to the 2nd Linux vulnerability describes a way to crash a Linux system, not a privilege escalation vulnerability.</p>

  • ezzy

    Premium Member
    23 July, 2021 - 11:10 am

    <p>That Linux vulnerability is crazy.</p><p><br></p><p>Step 1. Create a file path greater than 1GB in size. (Think a file path 10 million or so characters long)</p><p><br></p><p>I mean, who comes up with this stuff?</p>

    • wright_is

      Premium Member
      24 July, 2021 - 7:18 am

      <p>Security testers and, unfortunately, the bad guys.</p>

    • hrlngrv

      Premium Member
      25 July, 2021 - 8:26 pm

      <p>Almost certainly this was discovered due to an error trying to do something else. That is, generating the GB-length pathname was a bug, but that bug exposed the vulnerability. Making lemonade from lemons, as it were.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC