Microsoft Failed to Fix a Zero-Day and Now Every Version of Windows Is at Risk - Gizmodo
Every version of Windows is at risk due to a scary zero-day vulnerability after Microsoft failed to patch the flaw.
The vulnerability takes advantage of a Windows Installer bug (tracked as CVE-2021-41379) that Microsoft thought it patched earlier this month.Microsoft labeled the initial vulnerability as medium-severity, but Jaeson Schultz, a technical leader for Cisco’s Talos Security Intelligence & Research Group, stressed in a blog post that the existence of functional proof-of-concept code means the clock is ticking on Microsoft releasing a patch that actually works.Naseri, who told BleepingComputer that he didn’t give Microsoft notice about the vulnerability before going public as a way to petition against smaller payouts in Microsoft’s bug bounty program, advises against third-party companies releasing their own patches because doing so could break the Windows installer.An attacker using the methods described must already have access and the ability to run code on a target victim’s machine,” Microsoft told BleepingComputer.
“Naseri, who told BleepingComputer that he didn’t give Microsoft notice about the vulnerability before going public as a way to petition against smaller payouts in Microsoft’s bug bounty program”