2 min read

Windows zero-day appears as Microsoft ships record patches

A new Windows privilege-escalation flaw surfaced the same day Microsoft released a record Patch Tuesday haul, and there is no fix yet.

Image: Ars Technica

A new Windows zero-day surfaced the same day Microsoft released a record number of patches, giving attackers a potential path to effectively gain administrator-level control without being admins themselves.

Will Dormann, senior principal vulnerability analyst at Tharros Labs, said the issue is powerful because it lets a non-admin user modify the classes registry hive of an admin user.

“If I can set up the system so that it runs my code when the admin user logs in,” the attacker has de facto administrator privileges. “I don’t need to be an admin myself.”

Will Dormann, senior principal vulnerability analyst at Tharros Labs

In a post, Dormann added that the capability is “a pretty powerful primitive,” and said attackers could likely find ways to use it for more interesting actions, potentially even without user interaction. He also said the exploit might be chained with another flaw that provides direct access to an administrative account.

A separate analyst explained the underlying mechanism this way:

Recommended reading

Suno hack exposed how much music it scraped

“When a new user is logging on, Windows needs to load the user’s class hive. Since the user isn’t logged on before logging on (tautology, I know), it can’t be loaded in the context of the user. So it is loaded in the context of NT AUTHORITY\SYSTEM. LegacyHive abuses this.”

Unnamed analyst

In an emailed statement, Microsoft said it is aware of the vulnerability report and is investigating. The company also said it prefers researchers to follow a coordinated disclosure process.

For now, there is no patch mentioned in the report. Users who want to reduce risk can:

  • run a detection script published by independent researcher Kevin Beaumont
  • restrict local non-user account creation
  • monitor ProfSvc for unexpected hive loads
  • track NTUSER.DAT and UsrClass.dat activity

That leaves defenders relying on monitoring and detection while Microsoft investigates.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via Ars Technica

// Keep reading