Microsoft's patching wasn't thorough, while Google publicly disclosed the Windows 11 security vulnerability.

Project Zero is Google's renowned security research team, specializing in finding vulnerabilities in both Google products and third-party software. When a security flaw is discovered, Project Zero reports it privately to the vendor and gives them 90 days to release a patch. If the flaw remains unfixed after this deadline, the information is made public to put further pressure on the developer and give users a chance to protect themselves. In some complex cases, the deadline may be extended. Previously, Project Zero has discovered vulnerabilities in CentOS, libxslt, ChromeOS, and Windows. Most recently, the team announced a security vulnerability present in Windows 11 Insider builds.

 

According to a detailed technical report on the Project Zero bug tracking system, security researcher James Forshaw discovered an Elevation of Privilege (EoP) vulnerability in Windows 11 Insider Preview builds. This vulnerability appears in the Administrator Protection feature – a capability Microsoft is about to implement in Windows 11, allowing for 'on-demand' administrative privileges via Windows Hello and an isolated admin token.

However, during the analysis, Forshaw discovered a vulnerability in Administrator Protection that allowed a low-privileged process to take control of a UI access process, thereby escalating to administrator privileges. Forshaw privately reported this vulnerability to Microsoft on August 8th, giving the company a deadline of November 6th to patch it. After being granted an extension, Microsoft released the patch on November 12th and acknowledged Forshaw's contribution in the CVE-2025-60718 vulnerability.

However, even though the matter seemed closed, Forshaw recently reopened the report, claiming that Microsoft's patch was incomplete and did not thoroughly fix the vulnerability. Since Microsoft did not provide further response, Project Zero decided to publicly disclose the details of this security issue.

Although this vulnerability has been widely publicized, users shouldn't panic. This is a type of local privilege escalation attack, meaning the attacker must have physical access to the computer to run the malware and exploit the vulnerability. Furthermore, Administrator Protection is currently only available on certain Windows 11 Insider builds and must be manually enabled. Therefore, the number of users at risk is currently quite small.

Nevertheless, it is absolutely essential for Microsoft to continue thoroughly investigating Forshaw's findings and patching the vulnerability completely, especially before Administrator Protection is officially released to the public on Windows 11.