- Security researcher publicly discloses vulnerability on Windows 11.
- The reason for the disclose was due to frustration with the low payout in the bug bounty program.
- The vulnerability has been fixed by Microsoft, but the researcher finds a workaround to a more severe security whole.
A security researcher, Abdelhamid Naceri, has publicly disclosed a vulnerability that gives system privileges to an attacker on Windows 11, 10, and Windows Server to run elevated commands from standard privilege level.
Although Microsoft has fixed this problem with the November 2021 update (CVE-2021-41379), the security researcher disclosed the vulnerability after finding a way around the fix to an even more severe unpatched exploit out of frustration with the Microsoft Bug Bounty program. The program allows security researchers and virtually anyone to make money by finding and reporting bugs in the operating system.
According to Naceri, the software giant used to pay around $10000 for a zero-day exploit. However, since April 2020, the payout has been going down to the point that reporting an exploit today, it’ll now only get you $1000. “Under Microsoft’s new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000” the tweets from @MalwareTech reads.
“This variant was discovered during the analysis of CVE-2021-41379 patch. The bug was not fixed correctly. However, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one.” Naceri also notes in his write-up on the GitHub page where this person is showing off a working proof-of-concept exploit for the new zero-day.
BleepingComputer, the site that first reported this case, tested the exploit successfully on a Windows 11 machine with the most up-to-date patches available through Windows Update. ‘
While it’s unclear why Microsoft is paying less for bounties, it might have to do that because we have seen more and more bugs over recent years during feature updates and cumulative updates. As a result, the company sees an increase in reports that the established budget won’t cover. Or it might be the case where the software giant wants fewer people trying to break into Windows.