Hot Take Google exposes Windows 11 security flaw after Microsoft fails to patch it properly

[Parkinsond]

In a highly technical report on the Project Zero issue tracker, it can be seen that security researcher James Forshaw discovered an elevation of privilege (EoP) bug in Windows 11's Insider Preview releases. This issue was present in the Administrator Protection feature that is an upcoming Windows 11 capability that enables just-in-time elevation privileges only when needed through Windows Hello and an isolated admin token.

However, during their investigation, Forshaw discovered that Administrator Protection has a flaw that allows a process with low privileges to hijack a UI access process which can further be used to gain administrator privileges. The researcher reported this vulnerability privately to Microsoft on August 8, which meant that the company had until November 6 to fix it. After receiving an extension for this deadline, the Redmond tech giant was able to deliver a patch on November 12, also thanking Forshaw for his contribution in CVE-2025-60718.

https://www.neowin.net/news/google-exposes-windows-11-security-flaw-after-microsoft-fails-to-patch-it-properly/

 

[Wrecker4923]

That's a feature (but not the bug) I have been looking forward to seeing.

 

[Jonny Quest]

@Parkinsond I like your new Flux Capacitor avatar, does it still take 1.21 Gigawatts to operate?

 

[Parkinsond]

@Parkinsond I like your new Flux Capacitor avatar, does it still take 1.21 Gigawatts to operate?

Yup

 

[markusa]

Excellent breakdown of the vulnerability discovered by James Forshaw. The explanation of how Administrator Protection could be bypassed through UI access hijacking is very insightful. Kudos to Microsoft for responsibly addressing the issue within the extended disclosure window and crediting the researcher in CVE-2025-60718.