Every version of Windows is at risk due to a scary zero-day vulnerability after Microsoft failed to patch the flaw.
The vulnerability takes advantage of a Windows Installer bug (tracked as CVE-2021-41379) that Microsoft thought it patched earlier this month.
Microsoft labeled the initial vulnerability as medium-severity, but Jaeson Schultz, a technical leader for Cisco’s Talos Security Intelligence & Research Group, stressed in a blog post that the existence of functional proof-of-concept code means the clock is ticking on Microsoft releasing a patch that actually works.
Naseri, who told BleepingComputer that he didn’t give Microsoft notice about the vulnerability before going public as a way to petition against smaller payouts in Microsoft’s bug bounty program, advises against third-party companies releasing their own patches because doing so could break the Windows installer.
An attacker using the methods described must already have access and the ability to run code on a target victim’s machine,” Microsoft told BleepingComputer.
“Naseri, who told BleepingComputer that he didn’t give Microsoft notice about the vulnerability before going public as a way to petition against smaller payouts in Microsoft’s bug bounty program”
UK
Australia
France
Germany
Russia
India
Canada