From PC World: On November 12th, Microsoft claimed to have patched CVE-2025-60718, a security vulnerability in Windows 11 that was reported by Google’s Project Zero security division.
Now, however, Project Zero claims that Microsoft did not successfully manage to fully address the vulnerability. In fact, Project Zero soon after wrote a detailed response that explained why the “fix” was problematic and the various factors involved in greater depth.
In short, the security vulnerability in question is a bug in the Administrator Protection feature, which allows a hacker to run malicious code if they can gain physical access to the computer:
A vulnerability exists in the Windows Administrator Protection feature that allows a low privileged process to get full access to a UI Access process which can be leveraged to access to a shadow administrator process leading to elevation of privilege.
The follow-up explains the issue with the purported fix:
I took a quick look at the fix and I believe there’s an issue with it. […] The fix should be to only resolve the [path to the executable] once and use that going forward through the rest of the function.
View: Full Article
