A new security vulnerability has been discovered in the latest versions of Windows that hackers could use to remotely install programs, steal data and passwords, and even lock users out of their PCs. Microsoft says that all versions of Windows newer than Windows 10 version 1809 are affected—including the Windows 11 beta.
According to Microsoft’s bug report, the vulnerability stems from “overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database.” The bug has not been successfully exploited, but Microsoft’s report cautions that such an attack is “likely” given how severe the vulnerability is. In order to execute an attack, the attacker would need direct access to a person’s computer—either physically, or by tricking them into downloading malware-laden files. Once a hacker has access, they can give themselves full administrator controls and “install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft will ostensibly patch the issue in future security updates for Windows 10 and 11, but users should be careful until then. Practice common-sense data security, like not clicking on unknown email links or downloading files from sketchy websites, and using reliable anti-malware programs.