A free unofficial patch has been issued to protect Windows users against a zero-day flaw in the Mobile Device Management Service that affects Windows 10, version 1809 and later. The security vulnerability is hidden in the “Access work or school” settings, and it works around a Microsoft patch published in February to fix an information leak bug known as CVE-2021-24084.
After publicly exposing the newly found weakness in June, security researcher Abdelhamid Naceri revealed that the incompletely fixed vulnerability could potentially be exploited to get admin rights.
While Microsoft is certainly aware of Naceri’s June report, it has yet to fix the LPE problem, leaving Windows 10 PCs running the November 2021 security patches vulnerable to attacks. Fortunately, attackers may only take advantage of the flaw if two extremely particular circumstances are met:
- System protection must be activated on drive C, and at least one restore point must be established. Various factors determine whether system protection is activated or disabled by default.
- At least a single administrator account must be activated on the machine, or the credentials of at least one member of the “Administrators” group must be cached.
You’ll need to create a 0patch account and install the 0patch agent to apply the unofficial patch to your machine. The patch will be deployed automatically (assuming no custom patching corporate rules are configured to prohibit it) without needing a restart after opening the agent on your device.
This month, it is the second Windows zero-day to receive a micropatch after Naceri discovered fixes for another flaw (CVE-2021-34484) in the Windows User Profile Service. With a proof-of-concept (PoC) vulnerability revealed by Naceri over the weekend, Microsoft also has to repair a third zero-day problem in the Microsoft Windows Installer.
If the zero-day is effectively abused, attackers can get SYSTEM access on up-to-date machines running the latest versions of Windows – Windows 10, Windows 11, and Windows Server 2022. Malware creators have recently begun testing the PoC vulnerability in low-volume attacks, most likely preparing for future full-fledged operations.
