A new security vulnerability has been discovered in the latest versions of Windows that hackers could use to remotely install programs, steal data and passwords, and even lock users out of their PCs. Microsoft says that all versions of Windows newer than Windows 10 version 1809 are affected — including the Windows 11 beta.
According to Microsoft’s bug report, the vulnerability stems from “overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database.” The bug has not been successfully exploited, but Microsoft’s report cautions that such an attack is “likely” given how severe the vulnerability is. In order to execute an attack, the attacker would need direct access to a person’s computer — either physically, or by tricking them into downloading malware-laden files. Once a hacker has access, they can give themselves full administrator controls and “install programs; view, change, or delete data; or create new accounts with full user rights.”
Q: what can you do when you have #mimikatz???? & some Read access on Windows system files like SYSTEM, SAM and SECURITY?— ???? Benjamin Delpy (@gentilkiwi) July 20, 2021
A: Local Privilege Escalation ????
Thank you @jonasLyk for this Read access on default Windows???? pic.twitter.com/6Y8kGmdCsp
Microsoft will ostensibly patch the issue in future security updates for Windows 10 and 11, but users should be careful until then. Practice common-sense data security, like not clicking on unknown email links or downloading files from sketchy websites, and using reliable anti-malware programs.
There is also a temporary workaround that restricts access to the vulnerable system files on your PC. This will keep hackers out but will make it harder to recover files using the System Restore feature — hence why it won’t work as a long-term solution. Nonetheless, it’s worth considering if you want to fully protect yourself from possible security breaches.
First, you need to restrict access to the “%windir%system32config” system folder.
- Use the taskbar to search for “PowerShell.” (Note: You can also perform these steps in Command Prompt.)
- Right-click “Windows PowerShell” from the results and click “Run as an administrator.”
- In PowerShell, type the following command:
icacls %windir%system32config*.* /inheritance:e
- Press “Enter.”
Next, you need to delete your System Restore points. Make sure to do this after you restrict access to %windir%system32config.
- Right-click “My PC” from the Windows File Explorer and select “Properties.”
- Click “System Protection” from the left-hand menu.
- Click to highlight your local hard drive in the “Available drives” list, then click “Configure.”
- Click “Delete,” then “Continue” to confirm.
Once the old backups are deleted, you may create a new System Restore point if you want: Go back to the System Protection tab, highlight your drive, then click “Create.” Add a description for the restore point (such as the date and time), then click “OK.”