Tracked as CVE-2021-34484, the “zero-day” flaw

Discussions of applications and operating systems and any problems, tips or suggestions. Win XP, 9x/2k, Linux, NT, photo editing, Virus/Spyware help
Post Reply
User avatar
reno
The artist formerly known as Renovation
Posts: 1781
Joined: Wed Feb 17, 2016 10:35 pm

Tracked as CVE-2021-34484, the “zero-day” flaw

Post by reno »

flaw enables hackers to breach all versions of Windows (including Windows 10, Windows 11 and Windows Server 2022) and take control of your computer. And the worst part is the flaw has been known about for some time.
The reason for this is Microsoft mistakenly thought it had patched the vulnerability (which was first found in August) when it was publicly disclosed in October. But the fix itself was found to be flawed, something the company admitted, and this drew even more attention to the vulnerability. Microsoft subsequently promised to “take appropriate action to keep customers protected” but two weeks later, a new fix has still not arrived.
But this is where all Windows users can take control. Third party security specialist 0patch has beaten Microsoft to the punch with a ‘micropatch’ that it has now made available for all Windows.
patch info link.
https://blog.0patch.com/2021/11/micropa ... tched.html

story link - https://www.forbes.com/sites/gordonkell ... fe2aa149c0
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: Tracked as CVE-2021-34484, the “zero-day” flaw

Post by FlyingPenguin »

Yea 0Patch also has support for Windows 7 bugs that MS is no longer patching. Interesting service. They make some patches free to get attention, but their service is a subscription.

As for this CVE, first off it's not a "zero day". The press has been constantly misreporting the term zero day lately.

And while it's bad, it's mainly bad for enterprise networks. It's virtually no risk at all for us home users, or even most small businesses. It's a very targ7eted attack that would require the attacker to know a non-admin login on the PC.

It also doesn't allow someone into your network from outside unless your PC can be logged into from outside the network, like a remote login on an a corporate network, so again, more of a threat to enterprise customers.

From Steve Gibson's Security Now podcast covering this:
The good news is that the exploitation of the bug requires a threat actor to have the login
credentials for some other account on the system. But there are scenarios where this could allow
a user to escape administrative control. And Dormann agreed that it is “Definitely still a problem.
And there may be scenarios where it can be abused. But the two-account requirement probably
puts it in the boat of not being something that will have widespread use in the wild.” And I
certainly agree with that. However, Naceri told BleepingComputer that a threat actor only needs
another domain account to exploit the vulnerability, so it should still be something to be
concerned about. And for what it's worth, Microsoft said they are aware of the issue and are
looking into it.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
Post Reply