Although Microsoft has fixed this problem with the November 2021 update (CVE-2021-41379), the security researcher disclosed the vulnerability after finding a way around the fix to an even more severe unpatched exploit out of frustration with the Microsoft Bug Bounty program. The program allows security researchers and virtually anyone to make money by finding and reporting bugs in the operating system. According to Naceri, the software giant used to pay around $10000 for a zero-day exploit. However, since April 2020, the payout has been going down to the point that reporting an exploit today, it’ll now only get you $1000. “Under Microsoft’s new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000” the tweets from @MalwareTech reads. “This variant was discovered during the analysis of CVE-2021-41379 patch. The bug was not fixed correctly. However, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one.” Naceri also notes in his write-up on the GitHub page where this person is showing off a working proof-of-concept exploit for the new zero-day. BleepingComputer, the site that first reported this case, tested the exploit successfully on a Windows 11 machine with the most up-to-date patches available through Windows Update. ‘ While it’s unclear why Microsoft is paying less for bounties, it might have to do that because we have seen more and more bugs over recent years during feature updates and cumulative updates. As a result, the company sees an increase in reports that the established budget won’t cover. Or it might be the case where the software giant wants fewer people trying to break into Windows. All content on this site is provided with no warranties, express or implied. Use any information at your own risk. Always backup of your device and files before making any changes. Privacy policy info.
