Hackers are targeting this Microsoft Windows Installer flaw

Discussion in 'Headline News' started by RickAgresta, Nov 26, 2021.

  1. RickAgresta

    RickAgresta General Peanut, leader of the Peanutty Forces

    Likes Received:
    Trophy Points:
    Flaw can be exploited to give an attacker administrator rights on a compromised system, despite efforts to fix the problem.

    Hackers have already created malware in a bid to exploit an elevation of privilege vulnerability in Microsoft's Windows Installer.

    Microsoft released a patch for CVE-2021-41379, an elevation of privilege flaw in the Windows Installer component for enterprise application deployment. It had an "important" rating and a severity score of just 5.5 out of 10.

    It wasn't actively being exploited at the time, but it is now, according to Cisco's Talos malware researchers. And Cisco reports that the bug can be exploited even on systems with the November patch to give an attacker administrator-level privileges.

    This, however, contradicts Microsoft's assessment that an attacker would only be able to delete targeted files on a system and would not gain privileges to view or modify file contents.

    "This vulnerability allows an attacker with a limited user account to elevate their privileges to become an administrator," explains Jaeson Schultz at Cisco Talos.

    "This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability."

    Abdelhamid Naceri, the researcher who reported CVE-2021-41379 to Microsoft, tested patched systems and on November 22 published proof-of-concept exploit code on GitHub, which shows that it works despite Microsoft's fixes. It also works on Server versions of affected Windows, including Windows Server 2022.

    "The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator," writes Cisco's Shultz.

    He adds that this "functional proof-of-concept exploit code will certainly drive additional abuse of this vulnerability."

    Naceri says there is no workaround for this bug other than another patch from Microsoft.

    "Due to the complexity of this vulnerability, any attempt to patch the binary directly will break Windows Installer. So you'd better wait and see how/if Microsoft will screw the patch up again," Naceri said. Microsoft is yet to acknowledge Naceri's new proof of concept and has not yet said whether it will issue a patch for it.

    Hackers are targeting this Microsoft Windows Installer flaw, say security researchers | ZDNet

    OP note: the above is the full content of the article, but the magazine has linked other interesting/useful articles on that page which aren't included in this post.
  2. Hook

    Hook Have keyboard, will travel

    Likes Received:
    Trophy Points:
    Note that this is affecting the Installer service for Enterprise deployment , which is certainly serious, but individual home users are not likely to run into this ( though I haven't explored all the links in the article).
    scjjtt, lelisa13p and RickAgresta like this.
  3. lelisa13p

    lelisa13p Your Super Moderator Super Moderator

    Likes Received:
    Trophy Points:
    Liked posts for reporting such a threat. A pox on those who threaten. :vbmad:
    RickAgresta, scjjtt and Hook like this.

Share This Page