New Windows 10 zero-day gives admin rights, gets unofficial patch


New Windows 10 MDM privesc zero-day gets a free micropatch

Free unofficial patches have been released to protect Windows users from a local privilege escalation (LPE) zero-day vulnerability in the Mobile Device Management Service impacting Windows 10, version 1809 and later.

The security flaw resides under the “Access work or school” settings, and it bypasses a patch released by Microsoft in February to address an information disclosure bug tracked as CVE-2021-24084.

However, security researcher Abdelhamid Naceri (who also reported the initial vulnerability) discovered this month that the incompletely patched flaw could also be exploited to gain admin privileges after publicly disclosing the newly spotted bug in June. 

Read more…