Microsoft fixes record patch count as Windows zero-day emerges

▼ Summary
– A researcher published exploit code called HiveLegacy that allows low-privilege Windows accounts to make sensitive changes to administrator accounts.
– The exploit targets a vulnerability in the Windows User Profile Service, enabling modification of an admin user’s registry hive.
– The researcher, pseudonymous NightmareEclypse, released the exploit due to complaints about Microsoft’s handling of their bug reports.
– HiveLegacy requires the attacker to know another user’s credentials and the username of a third account on the machine.
– Microsoft is scrambling to patch this zero-day exploit, which multiple researchers confirm works.
Hot on the heels of Microsoft’s largest-ever batch of security fixes, a publicly released exploit is already making waves. A researcher has shared code that allows low-privilege Windows accounts to make critical changes to administrator-level user profiles, raising fresh concerns about system security.
Multiple security experts have confirmed the exploit works, putting Microsoft in a familiar position: scrambling to respond to a zero-day vulnerability published by an anonymous researcher who has voiced frustration over how the company handles bug reports. Operating under the pseudonym NightmareEclypse, the researcher has now released nine such exploits, the latest being HiveLegacy, published on Tuesday. Notably, the proof-of-concept code was deliberately stripped down to limit its potential for malicious use, according to the researcher.
HiveLegacy functions as an elevation-of-privilege exploit targeting a flaw in the Windows User Profile Service. The vulnerability enables users,and, with additional effort, possibly processes,operating with limited system rights to compromise an administrator account. They do this by modifying the account’s classes registry hive, which controls which application opens when certain file types are clicked in Windows Explorer.
At a minimum, this gives an attacker the ability to alter the Windows registry associated with an admin account. The current version of the exploit requires the attacker to know another user’s credentials, though that account does not need administrator privileges. Additionally, the attacker must know the username of a third account on the same machine, which may also lack admin status. Despite these constraints, security researchers describe the exploit as a “pretty powerful primitive” that could be refined for broader attacks.
(Source: Ars Technica)




