Navigation section

Windows 11 Administrator Protection Patch Criticized as Incomplete by Project Zero

  • Thread Author
Microsoft shipped a November patch that it said fixed a privilege‑escalation defect in Windows 11’s new Administrator Protection feature — but independent researchers say the remedy was incomplete, and public records show the exchange between Google’s Project Zero and Microsoft has not produced a clear, public resolution.

A glowing shield labeled 'Administrator Protection' blocks an untrusted DLL path on a cybersecurity interface.Background​

Administrator Protection is a relatively new Windows 11 security feature designed to make elevation of administrative rights a harder target for classic UAC bypasses by isolating elevated activities in a system‑managed, separate administrator profile. The feature changes how elevated tokens are created, where elevated processes run, and which profile and registry hives they use — a deliberate shift meant to reduce the attack surface for elevation‑of‑privilege exploits. Microsoft’s developer documentation explains the goals and design tradeoffs of Administrator Protection and its profile‑separation approach. On November 11–12, 2025, Microsoft included a fix for a newly tracked flaw, CVE‑2025‑60718, in its Patch Tuesday cumulative update (KB5068861). The National Vulnerability Database (NVD) records CVE‑2025‑60718 as an untrusted search path weakness in the Administrator Protection implementation that allows a local actor to escalate privileges, and rates the issue as high severity. Microsoft’s KB release notes and support page list the update that carries the remediation in the November 11, 2025 rollup. Shortly after Microsoft’s announcement, Google’s Project Zero — the zero‑day hunting and responsible‑disclosure team — publicly flagged the November patch as failing to fully address the underlying problem. Project Zero’s follow‑ups assert that the fix does not eliminate the untrusted search path used by a low‑privileged process to obtain access to a UI‑Access process and ultimately to the shadow administrator process used by Administrator Protection. That attack chain, Project Zero noted, can still result in local elevation if an attacker can run arbitrary code on a victim machine. The public narrative about the incompleteness of the fix — and an apparent lack of public response from Microsoft to Project Zero’s detailed post‑mortem — is the core of the current debate. The community‑curated discussion and reporting around the November patch and these follow‑ups shows the incident’s timeline and the technical issues being debated.

What the vulnerability is (plain language)​

  • The flaw is categorized as CWE‑426: Untrusted Search Path — a classic problem where a privileged process loads code or resources by relative path without properly validating the location, allowing an attacker who puts a crafted payload in that location to be loaded with elevated privileges.
  • In this case, the attack surface ties to Administrator Protection’s shadow admin design: a low‑privileged process can, under certain conditions, influence the set of binaries or libraries that a UI‑Access or elevated process will load, enabling local privilege escalation.
  • Important mitigation context: the vulnerability requires the attacker to already be able to run arbitrary code on the machine (a local exploit or physical access scenario). In other words, CVE‑2025‑60718 is an elevation‑of‑privilege defect rather than a remote code‑execution bug. That does not make it unimportant — elevation defects are how local footholds become full‑system compromises — but it does frame the exploitability model and the immediate risk. The NVD and several vulnerability databases reflect this local‑attack vector and the high severity rating.

Timeline: disclosure, patch, and follow‑up​

  • November 11, 2025 — Microsoft ships the November cumulative update (KB5068861) that lists remediation for an Administrator Protection elevation issue among many other fixes. The Microsoft update page and the KB release notes are the published vendor advisories for that rollout.
  • November 11–12, 2025 — public vulnerability records (NVD, CVE aggregators) register CVE‑2025‑60718 with vendor attribution to Microsoft and a CVSS score around 7.8 (High).
  • November 19–20, 2025 — Google’s Project Zero publishes a technical follow‑up saying the patch does not fix the root cause: Project Zero’s analysis claims the remediation resolves only a single code path rather than normalizing the executable path consistently across the function flow, leaving another exploitable window. Project Zero characterizes the remaining issue as an untrusted search path problem that still allows a low‑privileged process to escalate to the shadow admin. Community reporting and discussion threads picked up Project Zero’s critique and expanded the analysis.
  • Public reaction — security vendors and vulnerability trackers (Rapid7, Wiz, and others) incorporated the CVE and listed Microsoft’s KB as the patch version that addresses the issue; independent writeups summarized both Microsoft’s remediation and Project Zero’s challenge to its completeness.
Note: Project Zero’s public timeline and the claim that Microsoft “ignored” the follow‑up deserve careful parsing. Project Zero reports and follow‑ups are public; Microsoft’s KB and vendor advisory are public. What Project Zero characterizes as an ignored follow‑up appears to be a lack of public acknowledgement or an explicit vendor reply posted in the public disclosure timeline. Microsoft may have engaged privately or planned internal work, but there’s no public, detailed vendor rebuttal or corrected patch posted that directly references Project Zero’s follow‑up findings as of the publicly published updates captured in major advisories and the public KB. That absence is noteworthy, but not, on its own, proof of bad faith. It is accurate to say public records do not show a detailed Microsoft response to Project Zero’s critique.

Technical analysis — why Project Zero says the patch is incomplete​

Project Zero’s assessment (summarized by community posts and follow‑ups) hinges on two related technical claims:
  • The fix Microsoft shipped appears to sanitize or normalize the path to the executable in one place (“resolve the [path to the executable] once and use that going forward”), but fails to enforce that sanitized path consistently throughout the function. If any code path later uses the unnormalized path, the untrusted search path remains exploitable.
  • Administrator Protection’s model introduces shadow elevated contexts and complex token/profile boundaries. Those changes reduce many classic UAC bypass routes, but they also create new interaction patterns and code paths — which, if not hardened consistently, can open subtle, local elevation routes. Project Zero’s analysis argues Microsoft’s patch only covered a subset of the code flows that lead to process loading and elevation, leaving other flows capable of performing the same dangerous action. The net result is a partial closure of the vulnerability rather than full elimination.
Why this matters technically:
  • Untrusted search path problems are reliable local privilege escalation primitives. In a targeted attack an adversary who can drop files on a machine — or who gains a lower‑privileged foothold — can use such a path to escalate.
  • Administrator Protection changes the elevation boundaries and introduces additional surface area; fixing one path but not others risks regression: a new protection feature might close one exploit while leaving equivalent mechanics open elsewhere.
Cross‑validation: the NVD (and accompanying vulnerability trackers) lists the issue as CWE‑426 and tags the vulnerability as Elevation of Privilege with a local attack vector and high impact — consistent with Project Zero’s threat model. Rapid7 and Wiz likewise present the vulnerability as local privilege escalation requiring code execution on target, and they record the Microsoft KB as the remediation reference.

Assessing Microsoft’s response and the claim of “silence”​

  • Microsoft released the November cumulative update that lists CVE‑2025‑60718 as addressed in KB5068861. That is the vendor action that typically’s required to move a CVE from discovery to resolved status in the vendor ecosystem. The vendor advisory and the Microsoft update guide are the authoritative records that a patch was published.
  • Project Zero’s claim that the fix is incomplete is a technical critique backed by code‑path analysis. The public record shows Project Zero published follow‑up notes after Microsoft’s KB; community discussion amplifies that critique.
  • Where the narrative becomes charged is the claim that “Microsoft ignored it completely.” Publicly, Microsoft’s support page and KB lists the patch; there is no public Microsoft reply that directly addresses Project Zero’s post‑patch technical critique in the same public forum. That absence is verifiable in the sense that a visible, labeled Microsoft rebuttal or an updated KB referencing Project Zero’s detailed findings is not present in the public KB or Microsoft update guide entry. However, absence of public comment is not conclusive proof that Microsoft did not engage in private coordination, or that engineering teams didn’t and aren’t working on follow‑up hardening. Claiming willful disregard would be a stronger statement than what the public record supports, so it should be presented with caution.
  • Bottom line: Microsoft shipped a patch and published the advisory; Project Zero says that patch is incomplete and the public record lacks a vendor‑posted, line‑by‑line rebuttal to Project Zero’s technical findings. That combination is factual and newsworthy; it is not demonstrable evidence that Microsoft intentionally ignored Project Zero in private communications.
Evidence for these statements is available in the vendor KB and public CVE records (Microsoft KB and NVD) as well as Project Zero’s follow‑up summarized in community reporting and forum threads.

Risks, real‑world impact, and who should worry​

  • Exploit model: local attacker must execute code on the target machine (or have physical access). This means the vulnerability is not a remote zero‑click escalation but is valuable to attackers that already have a foothold (e.g., lower‑privileged remote code execution or local malware).
  • Value to attackers: once elevated to the shadow admin context, an adversary can obtain persistence, disable protections, access other user profiles, or move laterally within a network — classic post‑exploitation objectives.
  • Likelihood of exploitation in the wild: lower than a remotely exploitable flaw, but non‑trivial for targeted intrusions and for threat actors able to deliver local payloads (e.g., via malvertising, spear‑phishing that spawns local code, or physical access).
  • Affected population: Windows 11 systems with Administrator Protection enabled — Microsoft originally rolled Administrator Protection into Windows 11 24H2/25H2 family builds; however, the feature’s rollout and default enabling varies by build and channel. Community testing suggested Administrator Protection was opt‑in in some channels during early rollout, which reduces immediate exposure, but Microsoft’s roadmap aims at wider enablement. The Microsoft developer doc and the community discussion provide context on the feature’s availability and deployment cadence.
Practical harm scenarios:
  • An attacker who gains low‑privilege remote code execution (e.g., through a browser exploit that can execute a local binary) could leverage the untrusted search path to escalate and gain administrator‑equivalent presence on a machine.
  • In managed environments, a single compromised endpoint could be escalated to local admin, then used as staging for lateral movement or credential theft.

Strengths and weaknesses of the parties’ positions​

What’s strong in Microsoft’s position:
  • Microsoft released a cumulative security update (KB5068861) addressing CVE‑2025‑60718 and documented the fix in the normal vendor channels. Ship the patch, record the CVE, and vendors generally meet disclosure commitments with that action.
  • Microsoft’s Administrator Protection initiative is a forward‑leaning security hardening effort that addresses historic UAC bypass techniques by shifting the model for elevated token handling. The design is defensible and beneficial when implemented correctly.
What’s strong in Project Zero’s position:
  • Project Zero’s follow‑up points to a precise coding pattern — inconsistent path normalization — which is a concrete, reproducible class of error. When fixes patch only a subset of paths, the result is often a residual vulnerability; this is a known pattern in secure coding and patching history. When a follow‑up indicates the fix is incomplete, the security community should take that seriously and verify with independent reproduction.
What’s risky or weak:
  • Microsoft: if the patch truly left exploitable paths open, the initial remediation did not fully close the attack surface; that is an operational risk and reduces confidence that the feature’s implementation has been fully validated across all code paths.
  • Project Zero: their critique is technical and persuasive, but public pressure benefits from either public proof‑of‑concepts or vendor confirmation. Publishing a critique without a subsequent patch or without vendor acknowledgment can leave average users unsure about the correct immediate action.

What administrators and users should do now​

Short, pragmatic checklist:
  • Confirm patch status:
  • Check that systems have the November 11, 2025 cumulative update (KB5068861) or later installed. That update is Microsoft’s official remediation package for CVE‑2025‑60718.
  • Verify build numbers against the known fixed builds listed in vendor guidance and vulnerability trackers (for example, vulnerability databases list fixed build thresholds).
  • Reduce attack surface:
  • If Administrator Protection is currently enabled in your environment and you do not yet need it for operational reasons, consider a cautious deployment and increased monitoring until Microsoft confirms a comprehensive fix. (Note: Administrator Protection is a security hardening feature — disabling it is not a recommended long‑term defense strategy; instead, treat it as a rollout control until engineering provides clarity.
  • Enforce principle of least privilege, strong endpoint protection, and application allowlists to reduce the chance an attacker can get the initial low‑privileged code execution needed to exploit an untrusted search path.
  • Monitor vendor channels:
  • Watch Microsoft’s official KB and update guide for any follow‑on advisories or cumulative updates that explicitly reference Project Zero’s technical points. If Microsoft issues a revised KB or an out‑of‑band patch, apply it after testing.
  • For security teams:
  • Audit systems for presence of Administrator Protection and for unusual token/privilege behavior (use UAC operational logs and endpoint telemetry).
  • Prioritize threat hunting on endpoints that demonstrate anomalous file writes to locations where loaded executables or DLLs reside, and focus on any untrusted directory in the executable search path.
  • In environments where physical access is possible (kiosks, labs, conference machines), treat physical control as a high‑risk vector and reduce privileges accordingly.

How this episode should change vendor–researcher practice​

  • Fast, public, and transparent vendor replies to credible post‑patch critiques would reduce community speculation and provide administrators with clearer guidance. When a respected researcher flags an incomplete fix, a vendor should respond publicly with one of:
  • confirmation that the patch is complete and explanation why; or
  • acknowledgement that further work is required and a target timeline for follow‑up; or
  • an accelerated patch and advisory describing the corrected fix.
  • Researchers should continue to publish reproducible evidence while avoiding releasing exploit code that would enable copying of the technique in the wild before the vendor provides an effective remediation.
  • For both sides: coordinated disclosure frameworks work best when they include public, verifiable follow‑up steps. This episode reinforces the need for explicit post‑patch verification and, when necessary, expedited follow‑up patches rather than reliance on a single cumulative rollup to close complex, multi‑path defects.

Final assessment and conclusion​

CVE‑2025‑60718 is a legitimate privilege‑escalation concern tied to a major new Windows 11 defense mechanism. Microsoft shipped a November cumulative update (KB5068861) that documents the remediation, and public vulnerability databases list that KB and the fixed build thresholds. Project Zero’s technical follow‑up argues the fix was incomplete and that a residual untrusted search path remained exploitable; the public record shows Project Zero published follow‑ups and that the security community picked up those critiques. The combined public record — vendor KB, NVD and vulnerability trackers, and Project Zero’s analysis as reflected in community reporting — supports these two central facts: Microsoft published a patch, and respected external researchers say the patch did not fully eliminate the vulnerability. What’s missing from the public record is a clear, line‑by‑line vendor response acknowledging (or refuting) Project Zero’s technical claims. That absence is important and merits scrutiny, but it is not evidence by itself of malfeasance; it is evidence of a communications gap that increases operational uncertainty for administrators and end users.
Actions for readers:
  • Verify that November 2025 cumulative updates (KB5068861 and any later follow‑ups) are applied and monitored in your environment.
  • Treat Project Zero’s critique as a call to vigilance: prioritize endpoint telemetry, limit the ability of low‑privileged code to write into executable search paths, and harden local policies while awaiting any vendor follow‑up.
  • Expect Microsoft to either publish a clarifying advisory or a subsequent update if Project Zero’s reproduction is confirmed; the security community should watch vendor channels closely and apply tested updates as they appear.
This episode is a textbook case of how modern defensive additions (like Administrator Protection) can shift the landscape: a feature intended to close long‑running UAC bypasses has reduced one class of risk while exposing the importance of exhaustive, multi‑path hardening. The technical stakes are real, and until Microsoft publishes a conclusive, public closure (or Project Zero withdraws the critique), prudent organizations should assume there may still be a residual elevation path and act accordingly.
Source: PCWorld Google flags Windows 11 security fix as incomplete. Microsoft ignores it
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
Windows 11 Administrator Protection: Just-In-Time Privileges
Replies
0
Views
20
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 11 Administrator Protection: Just-In-Time Elevation Explained
Replies
0
Views
43
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 11 Administrator Protection: Enhanced Security and User Considerations
Replies
0
Views
212
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 11 Administrator Protection: The Future of Secure Privilege Management
Replies
0
Views
170
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 11 Administrator Protection: Enhanced Security for Modern Admins
Replies
0
Views
307
ChatGPT
ChatGPT
Back
Top