This is the second time a third-party patcher has stepped in to fix the same Windows security issue

A heart shaped lock with key on a blue background.
(Image credit: Iuliia Bondar)

A locally exploited Microsoft vulnerability (CVE-2021-34484) has been unofficially fixed by net heroes 0patch. Again. Found several months ago in the Windows User Profile Service, 0patch has done what Microsoft was seemingly unable to do, nullifying the privilege escalation zero-day vulnerability that had been leaving Windows 10, Windows 11, and Windows Server users open to hackers.

When Microsoft failed to fix the bug before, its patch actually ended up breaking 0patch's previous unofficial patch. There's a lot of to-ing and fro-ing between coders of different creeds, then, which really isn't helping. Here's how it played out:

Discovered and reported by Abdelhamid Naceri, the vulnerability scored a whopping 7.8 on the CVSS v3 danger scale, although we can't find any reports of the vulnerability having been exploited.

Still, the potential for local attackers to gain admin rights has been very real, and Bleeping Computer notes that, since mid 2021, the vulnerability had been marked as solved several times, despite the vulnerability still existing.

Back in August 2021, just after the vulnerability first came in to view, Naceri noticed the door was left ajar. Microsoft's official patch only partially fixed the issue, so Naceri sent a PoC (proof of concept) to prove it was still possible to bypass the patch on any version of Windows.

Your next machine

(Image credit: Future)

Best gaming PC: The top pre-built machines from the pros
Best gaming laptop: Perfect notebooks for mobile gaming

That's when 0patch appeared with its first unofficial profext.dll patch, which held the fort for a while, until Microsoft tried again in January 2022, marking the bug as fixed. Naceri quickly found a way to get around it, though, and it turned out Microsoft's fix replaced the file 0patch had added the working patch to.

0patch has now ported the fix for the latest Microsoft patch Tuesday update, so as long as you have a free 0patch Central account, you should be able to get the micro-patch, and undo the foibles of our most beloved Microsoft.

For it's part, Microsoft has responded to Bleeping Computer with an acknowledgement that "we're aware of this report and will take action as needed to protect customers."

Katie Wickens
Hardware Writer

Screw sports, Katie would rather watch Intel, AMD and Nvidia go at it. Having been obsessed with computers and graphics for three long decades, she took Game Art and Design up to Masters level at uni, and has been demystifying tech and science—rather sarcastically—for three years since. She can be found admiring AI advancements, scrambling for scintillating Raspberry Pi projects, preaching cybersecurity awareness, sighing over semiconductors, and gawping at the latest GPU upgrades. She's been heading the PCG Steam Deck content hike, while waiting patiently for her chance to upload her consciousness into the cloud.