If you remember the Windows PrintNightmare saga, Microsoft had a really tough time slaying the bug as the story kept on for months. Likewise, it looks like there"s another security vulnerability which refuses to lay down.
The bug we are talking about here is a local privilege escalation (LPE) flaw inside the Windows User Profile service that Microsoft first acknowledged with the ID "CVE-2021-34484" and received a CVSS v3 score of 7.8. The issue was supposedly patched by the company via its August 2021 Patch Tuesday update.
Despite that, the security researcher Abdelhamid Naceri, who first dug up this vulnerability back in 2021, was able to bypass the Microsoft-provided security patch. After this, Microsoft issued its next fix via the January 2022 Patch Tuesday but Naceri once again was able to get around it on all Windows versions except Server 2016.
The 0patch team, which often issues unofficial micropatches for various security bugs, found that its micropatch was not exploitable by this threat. A certain "profext.dll" DLL file issued by 0patch was able to fix the issue. However, Microsoft seemingly modified this DLL file and nullified the patch, making users" systems vulnerable again.
To counter this, 0patch has now ported its fix for the new profext.dll and made it available for download. The firm says:
While our own micropatch was not bypassable using Abdelhamid"s new trick, Microsoft modified the DLL we wrote the micropatch for (profext.dll), which meant we had to port our patch to the new version of this DLL to protect users who diligently apply Windows updates.
[...]
We ported our micropatch to the latest profext.dll on the following Windows versions:
- Windows 10 v21H1 (32 & 64 bit) updated with March 2022 Updates
- Windows 10 v20H2 (32 & 64 bit) updated with March 2022 Updates
- Windows 10 v1909 (32 & 64 bit) updated with March 2022 Updates
- Windows Server 2019 64 bit updated with March 2022 Updates
You can check the details for availing the patch in the source link below but do bear in mind that this is an unofficial workaround.
Source: 0patch