A new vulnerability in Windows 10 allows hackers to become administrators. Microsoft has fixed the vulnerability with a security update.

CVE-2022-21882 was discovered in December by security expert RyeLv. The vulnerability allows hackers to call the relevant user-level GUI API to make kernel calls. The kernel functions result in a callback, which hackers can intercept to modify the window type. After the last callback, the system does not check if the window type has changed. As a result, the wrong data is referenced. Ultimately, it leads to hackers gaining access to admin level system privilege, thus adding new users or performing other privileged actions with dire consequences for Windows 10 systems. The vulnerability does not appear to affect Windows 11.

Patching

RyeLv has notified Microsoft of the vulnerability in Windows 10. The tech giant fixed the vulnerability in a recent January 2022 update.

Many administrators hoped to delay recent patches due to a large number of bugs brought about for Windows Server. One of the updates caused Windows to spontaneously reboot; there were L2TP VPN issues; non-accessible ReFS volumes were created and Hyper-V ceased to function in some instances. The newly found vulnerability means there’s no way around installing the latest patches.

Better bug bounty program desired

According to RyeLv, there could well be more similar vulnerabilities for Windows 10. He indicates that searching for these vulnerabilities is not rewarding enough for security specialists. Microsoft’s bug bounty rewards have been decreasing. According to RyeLv, improvements to Microsoft’s kernel zero-day bounty program would create more incentive and solve the problem.