Researchers have identified a new exploitation of a Windows 10 vulnerability identified in May that allowed hackers to increase their privileges on the target computer.
After the bug came to light, Microsoft released a patch that was supposed to fix the problem, but the upgrade seems to have failed to protect against alternative exploitation.
According to Maddie Stone, a researcher at Google Project Zero, the lack of Windows 10 can still be abused, with small adjustments to the attack method.
“The original release was an arbitrary pointer redirection, which allowed the attacker to manage the src and ten pointers on memcpy,” Stone tweetao.
Microsoft’s patch was ineffective, she explains, because it “simply changed the pointers to offsets, which still allows argos to be controlled by memcpy.”
The main fear, when it comes to partial fixes, is that hackers can more easily use the knowledge of the original exploit to develop new zero days.
Windows 10 security error
It was first identified by researchers at security firm Kaspersky, and the errors affect a number of Windows operating systems, including various iterations of Windows 10, Windows Server, Windows 7 and Windows 8.
Although the overall vulnerability was rated 7.5 / 10 by the Common Vulnerability Scoring System (CVSS), it was classified as maximum severity, especially compared to Windows 10 devices.
Shackled by another flaw present in Internet Explorer 11, hackers abused Windows to run malicious code on the affected devices allowing them to increase their privileges to the kernel level.
To demonstrate the vulnerability can still be exploited, Stone published evidence of a concept based on the material that Kaspersky made available with the original discovery.
Microsoft was alerted to an alternative attempt in mid-September and recognized the problem. The company intended to release a second patch in November, but further complications mean the repair has been postponed to January.
Owners of affected devices will have to wait for the patch to fall off in the new year.
Via a sleep computer