Wild hackers use Windows Installer for zero-day exploit

Wild hackers use Windows Installer for zero-day exploit

“We have found malware samples in the wild that are attempting to exploit this issue,” Cisco Talos said.

However, in what’s a case of an insufficient patch, Naceri found that it was not only possible to bypass the fix implemented by Microsoft but also achieve local privilege escalation via a newly discovered zero-day bug.

An attacker with admin privileges could then abuse the access to gain full control over the compromised system, including the ability to download additional software, and modify, delete, or exfiltrate sensitive information stored in the machine.

The proof-of-concept (PoC) exploit, dubbed “InstallerFileTakeOver,” works by overwriting the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI installer file, allowing an attacker to run code with SYSTEM privileges.

Story Highlights

  • Attackers are attempting to use a new variation of a recently reported privilege escalation vulnerability to possibly execute arbitrary code on fully patched computers, highlighting how adversaries may weaponize a publicly accessible exploit swiftly.

  • The elevation of privilege problem affecting the Windows Installer software component was first patched as part of Microsoft’s Patch Tuesday updates for November 2021, and was tracked as CVE-2021-41379 by security researcher Abdelhamid Naceri.

“Can confirm this works, local priv esc. Tested on Windows 10 20H2 and Windows 11. The prior patch MS issued didn’t fix the issue properly,” tweeted security researcher Kevin Beaumont, corroborating the findings.

Naceri noted that the latest variant of CVE-2021-41379 is “more powerful than the original one,” and that the best course of action would be to wait for Microsoft to release a security patch for the problem “due to the complexity of this vulnerability.”

It’s not exactly clear when Microsoft will act on the public disclosure and release a fix. We have reached out to the company for comment, and we will update the story if we hear back. Attackers making attempts to exploit the major security vulnerability, researchers report. The powerful version of the zero-day flaw for which Microsoft released a patch earlier this month can be actively used.[1] Security hole was not properly fixed with the update. The vulnerability potentially leads to arbitrary code execution on systems that received the patch.[2]

Unfortunately, it shows how quickly publicly available exploiters can get weaponized and how major zero-day flaws are.[3] The recent security warnings and attack reports show that zero-day flaw execution can cause real damage and havoc on systems and networks related to major institutions and organizations, businesses. The code execution on the compromised system can lead to data exfiltration or malware deployment.