A zero-day vulnerability in Windows 10, 11, and Windows Server allows attackers to gain administrative privileges. The leak has been known for several months and has not yet been fixed despite two previous patches.
However, an unofficial patch does solve the problems.
This is a vulnerability in Windows User Profile Service identified as CVE-2021-34484. The leak gets a CVSS V3 score of 7.8. Bleeping Computer points out that the vulnerability was already discovered in the summer by researcher Abdelhamid Naceri. That informed Microsoft, after which the company released a patch in August 2021.
However, shortly afterwards, Naceri discovered that this patch did not fix the vulnerability. Microsoft, therefore, released a second patch in January 2022, but Naceri found a way to circumvent the fix even then.
0patch, which releases unofficial patches (particularly for versions of Windows that are no longer supported and vulnerabilities that are not fixed by Microsoft), already launched an update to Windows in November that fixes the problem.
This unofficial patch has now been ported to the updates released on Patch Tuesday in March. The update is available for free to registered users.