Threat actors are using an exploit for Windows Installer in the wild. The zero-day vulnerability stems from another flaw that Microsoft has already patched.
Microsoft patched the vulnerability CVE-2021-41379 as part of the November 2021 Patch Tuesday updates. However, security researcher Abdelhamid Naceri found another zero-day in Windows Installer alongside a bypass for Microsoft’s fix of the first issue.
He sent out a proof of concept (POC) exploit known as InstallerFileTakeOver for the privilege elevation bug via GitHub. He says it works on all supported versions of the Windows platform, including Windows 11. Naceri points out a successful attack would give the threat actor admin access on Windows Server, Windows 10, and Windows 11.
Cisco Talos Security Intelligence and Research Group and other researchers followed up by testing the POC. They found it is possible to reproduce and that attackers seems to be one step ahead and already exploiting the vulnerability.
“This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022,” Cisco Talos points out. “Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability.”
Microsoft originally sent out the fix for Windows Installer saying this was a low rating issue on the Common Vulnerability Scoring System. The company said that attackers would only be able to delete files on a system and no gain privileges.
There were two problems. Firstly, the fix could be bypassed by Naceri, who then found that a variant of the bug would indeed grant elevated privileges to attackers.
Now we are again waiting for Microsoft to issue a patch. The company says it is aware of the discovery and is working on a fix.
Tip of the day: Do you often experience PC freezes or crashs with Blue Screens of Death (BSOD)? Then you should use Windows Memory Diagnostic to test your computers RAM for any problems that might be caused from damaged memory modules. It is a tool built which can be launched at startup to run various memory checks.