Two New Vulnerabilities Found In Windows and Linux

Share post:

Two new vulnerabilities- one in Windows and the other in Linux – have been discovered recently, and these vulnerabilities allow hackers to bypass a vulnerable system and access sensitive resources.

One vulnerability allows the hacker access to low privileged OS resources where code can be executed or sensitive data can be read; a second vulnerability increases the execution of code or file access to OS resources reserved for password storage or other sensitive operations.

The researcher found that the contents of the security account manager- the database that stores user accounts and security descriptors for users on the local computer- could be read by users even if they had limited system privileges.

This made it possible to obtain cryptographically protected password data, find the password that installed Windows, obtain the computer keys for the Windows data protection API- which can be used to decrypt private encryption keys–and create an account on the affected machine.

The result is that the local user ends up with privileges up to the system, the highest level in Windows.

A Microsoft representative said that company officials would investigate the vulnerability and take appropriate action as needed, which is being tracked as CVE-2021-36934.

The exploit described comes with significant overhead, particularly around 1 million nested directories.

The attack also requires about 5GB of storage and 1 million inodes. Despite these complications, a Qualys representative described the PoC as “extremely reliable” and said it only takes about three minutes.

Linux users should check with the distributor if patches are available to fix the vulnerability. Windows users should wait for advisories from Microsoft and security experts.

For more information, read the original story in Arstechnica.


Related articles

Google’s Gemini AI caught scanning private Google Drive documents without permission

Google's Gemini AI has come under fire for scanning private PDF documents in Google Drive without user consent....

Massive AT&T breach in 2022 one of the largest private communications data breaches

AT&T announced a significant data breach affecting nearly all of its mobile phone customers, marking one of the...

Security research team claims to have helped avert a major supply chain attack

JFrog Security Research team continuously scans public repositories such as Docker Hub, NPM, and PyPI to identify malicious...

Phishing attacks on state and local governments surge by 360%

Phishing attacks targeting state and local governments have surged by 360% between May 2023 and May 2024, according...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways