As part of another major security update, Microsoft has patched 570 vulnerabilities in its products, including Windows and the Office suite. However, the release of these patches came with an unpleasant surprise: a working exploit has leaked into the public domain, allowing attackers to hijack control of administrator accounts.
AI vs. Legacy Code
Representatives of the tech giant warned the IT community in advance about a sharp increase in the volume of monthly updates. Company management attributes this surge to the implementation of specialized artificial intelligence models. According to reports, AI scanners allow developers to analyze legacy code fragments significantly faster and identify errors that had gone unnoticed for years. This enables them to close critical holes before hackers can exploit them.
Zero-Day Threats
Among the patched vulnerabilities, at least two had "zero-day" status and were already being used in real-world attacks. The first was found in Windows Server and allowed attackers to escalate their privileges to the administrator level. The second was discovered in the SharePoint file-sharing server. The US Cybersecurity and Infrastructure Security Agency (CISA) officially confirmed that this vulnerability was actively used to hack corporate networks.
HiveLegacy Exploit
Almost immediately after the release of the updates, an independent researcher under the pseudonym NightmareEclypse published the demonstration code for the HiveLegacy exploit. This is already the ninth such tool released by the specialist into the public domain. In his statements, the researcher explained his actions as dissatisfaction with how Microsoft responds to reports of found bugs.
The exploit takes advantage of a vulnerability in the Windows User Profile Service. The technology allows a regular local user without administrative privileges to modify the registry hive belonging to the administrator. This makes it possible to configure the system so that malicious code automatically runs when the administrator logs in, effectively giving the attacker full control over the device.
To carry out the attack, the attacker needs to know the credentials of one user and the name of a third account on the same computer. Leading security analysts have already confirmed the exploit's functionality, calling it an "extremely dangerous tool" that can be easily modified to conduct complex attacks.
Microsoft stated that they are reviewing the report on the HiveLegacy vulnerability and urged researchers to adhere to the coordinated disclosure policy.