A zero-day exploit targeting Windows has been made public after a security researcher claimed Microsoft failed to address the issue despite multiple disclosures. The flaw, which can be exploited to gain elevated system access, remains unpatched in current builds, leaving users exposed until an official fix is released.
The exploit, shared on GitHub, works against both 64-bit and ARM-based Windows systems running recent versions, including those updated with the latest security patches. While Microsoft has not yet acknowledged the vulnerability, researchers say it stems from a kernel-level driver issue that could allow attackers to bypass standard protections like User Account Control (UAC).
- Key details of the exploit:
- Target: Windows 10/11 (64-bit and ARM)
- Impact: Local privilege escalation (LPE) to SYSTEM level
- Status: Unpatched, publicly disclosed
- Mitigation: Disable affected driver or isolate systems until patch arrives
The researcher, who has a history of reporting vulnerabilities to Microsoft, stated that they began disclosing the issue in December 2023 but received no response from the company. This is not the first time such a scenario has occurred; similar cases have led to delays in patching, often leaving users vulnerable for extended periods. Experts recommend users avoid running untrusted applications or scripts until Microsoft releases an official update.
For now, organizations should consider temporarily disabling the affected driver (identified as 'Win32k.sys') if its functionality is not critical to operations. While this may limit some system features, it prevents exploitation until a patch can be applied. Microsoft has not provided a timeline for when a fix might be available, but given past behavior, users should prepare for potential delays.
The release of the exploit underscores broader concerns about vendor responsiveness in security disclosures. In an era where zero-days are increasingly weaponized, transparency and timely patching remain critical to maintaining system integrity. Until Microsoft addresses this issue, users must rely on defensive measures to mitigate risk—though no solution is foolproof.
