Google flags Home windows 11 safety repair as incomplete. Microsoft ignores it

On November twelfth, Microsoft claimed to have patched CVE-2025-60718, a safety vulnerability in Home windows 11 that was reported by Google’s Challenge Zero safety division.

Now, nonetheless, Challenge Zero claims that Microsoft did not efficiently handle to completely deal with the vulnerability. In actual fact, Challenge Zero quickly after wrote an in depth response that defined why the “repair” was problematic and the varied components concerned in better depth.

Briefly, the safety vulnerability in query is a bug within the Administrator Safety characteristic, which permits a hacker to run malicious code if they will acquire bodily entry to the pc:

A vulnerability exists within the Home windows Administrator Safety characteristic that permits a low privileged course of to get full entry to a UI Entry course of which may be leveraged to entry to a shadow administrator course of resulting in elevation of privilege.

The follow-up explains the difficulty with the purported repair:

I took a fast take a look at the repair and I imagine there’s a difficulty with it. […] The repair must be to solely resolve the [path to the executable] as soon as and use that going ahead by way of the remainder of the operate.

Moreover:

In mitigation, whereas this situation hasn’t been utterly fastened, it is just a neighborhood privilege escalation and requires working arbitrary code on the machine. Administrator Safety is an opt-in characteristic solely obtainable on Home windows 11 25H2 and the repair isn’t lively with out it being enabled. This implies even with out this incomplete repair, the difficulty was nonetheless a UAC bypass, however UAC’s not a safety boundary.

As well as, it seems like Administrator Safety as a characteristic is at present disabled through a characteristic flag for all of the Home windows 11 machines I’ve examined so you possibly can’t allow the characteristic even should you wished to.

What’s astonishing is that Microsoft claimed to have fastened the difficulty on November twelfth, then Google made this detailed follow-up every week in a while November nineteenth, with another follow-up the following day on November twentieth—but Microsoft has ignored it utterly, with no response of its personal, failing to even acknowledge the unfinished patch.

Though the chance of harm is taken into account small, we hope that Microsoft will take a better take a look at Google’s detailed write-up and implement the mandatory fixes to correctly deal with what they claimed to have fastened.