What you need to know
- A researcher has publicly disclosed a zero-day local privilege elevation vulnerability in Windows.
- The researcher disclosed the vulnerability due to frustration with Microsoft's decreasing payouts for bug bounties.
- The vulnerability allows a Windows user with Standard privileges to open the command prompt with SYSTEM privileges.
A researcher publicly disclosed a zero-day local privilege elevation vulnerability in Windows 11, Windows 10, and Windows Server. The vulnerability allows a user with Standard privileges to open the command prompt with SYSTEM privileges. This access could be leveraged to spread malicious content throughout a network.
The vulnerability was reportedly publicly disclosed due to frustration with Microsoft's decreasing payouts for bug bounties. The researcher, Abdelhamid Naceri, told Bleeping Computer, "Microsoft bounties [have] been trashed since April 2020, I really wouldn't do that if MSFT didn't take the decision to downgrade those bounties."
This is a common complaint among bug hunters. Microsoft's payouts through its bug bounty program have gone down over the years in many instances.
Under Microsoft's new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 💀Under Microsoft's new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 💀— MalwareTech (@MalwareTechBlog) July 27, 2020July 27, 2020
Microsoft fixed an issue with its November 2021 Patch Tuesday updates, but a related vulnerability remained. Naceri found a bypass to the patch and a more powerful vulnerability. Naceri published a proof-of-concept exploit on GitHub. The GitHub page also explains the vulnerability in more depth.
Bleeping Computer tested the exploit, which proved to be able to gain SYSTEM privileges while on an account with Standard privileges.
A fix for this vulnerability is likely on the way from Microsoft, though the company has not commented on it at this point.
Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at firstname.lastname@example.org (opens in new tab).
I understand the frustration, but Mr. Naceri's actions are reckless!
The idea behind the bug bounties were to stop them from being traded on the dark net, where actual reckless actions take place. At least he's still disclosed it publicly rather than privately to a malicious actor of unknown origin.
Those trading in software vulnerabilities on the dark web are definitely reckless, in that they will do things like use ransomware to extort a hospital, even if it puts countless patients at risk. That doesn't mean that it's not reckless to make unpatched vulnerabilities public, because the same malicious users could take advantage of them before they're patched. Presumably, the person involved here is trying to "encourage" Microsoft to increase their bug bounty to its former level. I don't know whether that amount is actually warranted, based on the amount of work involved, but what he's doing could be considered extortion too.
True, the action isn't correct and would be considered extortion. But idk at the same time, the person basically poured the time and resources on researching the vulnerability and only getting paid like that will certainly makes it unfair to that person. Especially if he/she accepted and others as well, it might give Microsoft any incentive to provide higher bounty in the future. What this researcher did is wrong, but also even Google kinda do this as well. So maybe it is legal? And Microsoft really have to reconsider their decisions and increase the bounty to former levels. Microsoft cannot assuming others will research security voluntarily vulnerabilities out of pure goodwill alone. This could have been worse if this was never public but still distributed over the dark web, which Microsoft may not going to catch quickly and will spread in their without much anybody knowning.
It's definitely legal and I certainly wasn't suggesting otherwise. The question is whether it's responsible. Microsoft is still paying $1000 for such a bug report, so they're not expecting people to do it out of the goodness of their heart. As I said here and elsewhere, I don't know exactly how much work is involved so I don't know whether $1000 or $10000 is the fairer compensation.
Are you serious and sober? The reckless actions are all in MICROSOFT'S OFFICES.
That's just dumb.
Ethics vs money. The age-old fight.
I don't know exactly how much work is involved in finding security issues like this. If it takes many hours of significant work then it probably is reasonable to expect significant compensation. I suspect that it would cost Microsoft far more than $1000 per security issue to hire their own staff to do it.
Money is tight, they are only worth $2.5 trillion
If $1000 is fair compensation for the work involved, should they just pay $10000 for the hell of it? Why not $50000? Do you know what fair compensation is for the work involved in uncovering such a security bug? I doubt it. I certainly don't. I would suggest that they pay whatever is fair, whether that be $1000 or $10000 or some other amount.
Microsoft deserves it
Windows is now worth what you paid for it, along with the Quality Assurance process your $$$$ help subsidize. MS jettisoned any real need to care what you people think when they decided their OS was 'free', and that you people would be the QA organization. I'm still waiting for the US gummint to finally grow a pair and decide MS is in that group of companies and PRODUCTS that are Too Big To Fail, and start stress testing and punishing poor performance in what is obviously a monopoly. That's the Clear and Present Danger with a monopoly that can hold a Nation hostage with sloppy work and Below Average merchandise.
Get the best of Windows Central in in your inbox, every day!
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.