Microsoft has released a workaround for a privilege elevation flaw that affects the Security Accounts Manager (SAM) database in all versions of Windows 10 and could allow attackers to access data and create new accounts on systems.
The vulnerability, marked as CVE-2021-36934, could allow local attackers to execute their own code with system privileges.
The vulnerability was discovered over the weekend by Jonas Lyk, but the US CERT coordination center identified several other ways the bug could affect Windows 10 machines.
Some of them involve an attacker extracting and using password hashes for accounts, discovering the original Windows installation password, obtaining DPAPI computer keys, and obtaining a computer machine account.
The bug affects the SAM of versions of Windows 10 from version 1809.
It may be more urgent to patch because the details of the vulnerability are publicly available.
For more information, read the original story in ZDNet.
