Windows 0-day drops the same day Microsoft releases record number of patches - Ars Technica
Skip to content
AI
Biz & IT
Cars
Culture
Gaming
Health
Policy
Science
Security
Space
Tech
Forum
Subscribe
Story text
Size
Small<br>Standard<br>Large
Width
Standard<br>Wide
Links
Standard<br>Orange
* Subscribers only
Learn more
Pin to story
Theme
Search
Sign In
Sign in dialog...
Text<br>settings
Story text
Size
Small<br>Standard<br>Large
Width
Standard<br>Wide
Links
Standard<br>Orange
* Subscribers only
Learn more
Minimize to nav
Right on the heels of Microsoft releasing a record number of security patches, a researcher has published exploit code that can enable low-privilege Windows accounts to make sensitive changes to administrator accounts.
The exploit, which multiple researchers say works, is sending Microsoft scrambling, yet again, to patch a zero-day released by an anonymous researcher who has complained about the software maker’s handling of their bug reports. To date, the pseudonymous NightmareEclypse has published nine such exploits, including Tuesday’s HiveLegacy. The researcher said the proof-of-concept code included in the report was stripped down to prevent attackers from using it maliciously.
A “pretty powerful primitive”
HiveLegacy is an elevation-of-privilege exploit that targets a vulnerability residing in the Windows User Profile Service. It allows users (and with more work likely processes) with limited system rights to compromise an admin user’s account by modifying its classes registry hive, a resource that ensures the correct application opens when certain types of files are clicked on in Windows Explorer.
At a minimum, that means the attacker can modify the Windows registry associated with an administrator account. As written, the exploit requires the attacker to know another user’s credentials. The account need not be admin. An attacker must also know the username of a third account, also with or without admin status, on the machine.
“If I can set up the system so that it runs my code when the admin user logs in,” the attacker has de facto administrator privileges, Will Dormann, a senior principal vulnerability analyst at Tharros Labs, said in an interview. “I don’t need to be an admin myself.”
In a post, he said that “the ability of a non-admin user to be able to modify the classes registry hive of an admin user is a pretty powerful primitive. Clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don’t even require user interaction.”
Dormann said that the exploit could possibly be chained to a separate one that gives direct access to an administrative account.
As explained in a post by a different analyst: “When a new user is logging on, Windows needs to load the user’s class hive. Since the user isn’t logged on before logging on (tautology, I know), it can’t be loaded in the context of the user. So it is loaded in the context of NT AUTHORITY\SYSTEM. LegacyHive abuses this.”
In an emailed statement, Microsoft said it’s aware of the vulnerability report and is investigating. The company also noted its preference that vulnerability reporters follow a coordinated disclosure policy.
For now, Windows users who want to protect their systems against HiveLegacy can run a detection script published by independent researcher Kevin Beaumont. Other defenses are to restrict local non-user account creation, monitor ProfSvc for unexpected hive loads, and track NTUSER.DAT/UsrClass.dat activity.
Dan Goodin
Senior Security Editor
Dan Goodin
Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
47 Comments
Comments
Forum view
Loading comments...
Prev story
Jurassic Park">Next story
1.<br>Sheetz is quitting VMware, migrating 11,000 virtual machines
2.<br>2026 Toyota RAV4 plug-in: Big battery means daily drives are all-electric
3.<br>Two Trump health nominees crash and burn in tense Senate hearing
4.<br>SpaceX scrubs Starship launch after some of its engines didn't start
5.<br>Linus Torvalds to critics of AI coding in Linux: "Fork it. Or just walk away."
Customize