Researcher discloses Windows bug due to frustration with bounty program

A Standard user can gain SYSTEM access on a PC if they exploit a newly disclosed Windows bug.

What you need to know

A researcher has publicly disclosed a zero-day local privilege elevation vulnerability in Windows.
The researcher disclosed the vulnerability due to frustration with Microsoft’s decreasing payouts for bug bounties.
The vulnerability allows a Windows user with Standard privileges to open the command prompt with SYSTEM privileges.

A researcher publicly disclosed a zero-day local privilege elevation vulnerability in Windows 11, Windows 10, and Windows Server. The vulnerability allows a user with Standard privileges to open the command prompt with SYSTEM privileges. This access could be leveraged to spread malicious content throughout a network.

The vulnerability was reportedly publicly disclosed due to frustration with Microsoft’s decreasing payouts for bug bounties. The researcher, Abdelhamid Naceri, told Bleeping Computer, “Microsoft bounties [have] been trashed since April 2020, I really wouldn’t do that if MSFT didn’t take the decision to downgrade those bounties.”

This is a common complaint among bug hunters. Microsoft’s payouts through its bug bounty program have gone down over the years in many instances.

Under Microsoft’s new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000 ?— MalwareTech (@MalwareTechBlog) July 27, 2020

Microsoft fixed an issue with its November 2021 Patch Tuesday updates, but a related vulnerability remained. Naceri found a bypass to the patch and a more powerful vulnerability. Naceri published a proof-of-concept exploit on GitHub. The GitHub page also explains the vulnerability in more depth.

Bleeping Computer tested the exploit, which proved to be able to gain SYSTEM privileges while on an account with Standard privileges.

A fix for this vulnerability is likely on the way from Microsoft, though the company has not commented on it at this point.

Researcher discloses Windows bug due to frustration with bounty program