Recently revealed Microsoft Windows Installer zero-day vulnerability is now being explored by malware creators. Publicly disclosed by security researcher Abdelhamid Naceri on a Github post last Sunday, the vulnerability allows elevation of local privileges from user level privileges to SYSTEM level – the highest possible security clearance. According to the security researcher, this exploit works in all support versions of Windows, including fully patched Windows 11 and Windows Server 2022 installations. Before posting the exploit on GitHub, Naceri first disclosed it to Microsoft and worked with the company to analyze the vulnerability.
Microsoft introduced a mitigation for zero-day exploit CVE-2021-41379 in the November 2021 Patch Tuesday – but apparently failed to fully resolve the issue. Naceri then took to his GitHub post to deliver a proof-of-concept exploit that works even after Microsoft’s mitigation measures are applied.
For the more technical, the Naceri exploit exploits the discretionary access control list (DACL) for Microsoft Edge Elevation Service – this allows an attacker to replace any executable file on the system with an MSI file – and d ” run code as an administrator. BleepingComputer tested the Naceri exploit and was able to open a command prompt with SYSTEM permissions from an account with low level “Standard” privileges.
Cyber security company Cisco Talos has provided a statement about the exploit, noting that they have seen instances of malware in the wild that are currently attempting to exploit the vulnerabilities. As Cisco Talos Outreach Manager Nick Biasini told BleepingComputer, these exploit attempts appear to focus on testing and tuning exploits for larger-scale attacks.
Naceri explained that “the proof of concept is extremely reliable and doesn’t require anything, so it works every time.” When it comes to mitigation measures, however, the researcher passes the buck to Microsoft: “The best workaround available at the time of writing is to wait. [for] Microsoft will be releasing a security patch, due to the complexity of this vulnerability, ”Naceri explained.
The researcher also mentioned that his work to bypass Microsoft’s CVE-2021-41379 patch attempts had found two possible exploits: the leaked one we are reporting here, and a second that also triggers unique behavior in the program. Windows installation. Service and allows the same type of privilege escalation technique. Naceri said he would wait until Microsoft fully fixes the CVE-2021-41379 vulnerability before releasing the second exploit method.
Regarding this, a Microsoft spokesperson told BleepingComputer that “We are aware of the disclosure and will do whatever is necessary to ensure the safety and protection of our customers. An attacker using the described methods must already have access and be able to execute code on a target. victim’s machine. “And while Microsoft initially rated this vulnerability as medium severity (with a base CVSS score of 5.5 and a time score of 4.8), the fact that the validating functional code In principle, either already in the wild and actively exploited by malware, developers should increase the severity of the vulnerability and request a faster and more decisive fix from Microsoft.