Microsoft’s patch for the previously discovered zero-day Windows installer exploit turns out to be inadequate. Attackers are already testing a proof-of-concept exploit discovered by security researcher Abdelhamid Naceri last Monday.

A Windows installer zero-day vulnerability (tracked as CVE-2021-41379) was discovered recently which Microsoft tried to patch this a couple of weeks ago as part of their November Patch Tuesday update. As it turns out, there’s a new zero-day bug that bypasses this patch entirely, works on all supported versions of Windows and gives attacker SYSTEM privileges.

Naceri had previously discovered the initial vulnerability as well and worked with Microsoft to implement a fix. The new exploit published on Monday works by leveraging the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace executable files on the system with MSI files that allow attackers to run code with admin privileges.

In the News: MediaTek powered phones are vulnerable to DSP bug

New patch, new problems

According to Microsoft’s notes on the flaw, attackers should only delete targeted files on the system. The company also rated the vulnerability as low on the Common Vulnerability Scoring System, but this new zero-day seems to be more effective and worrying.

Naceri’s exploit seems to work on fully patched versions of Windows 11, Windows 10 and Windows Server 2022. Using this exploit, attackers with limited access can elevate privileges and spread the malware laterally within a victim’s network.

According to Jaeson Schultz, technical leader for Cisco Talos, malware samples are out there trying to exploit the vulnerability. Additionally, other security researchers have also tweeted their confirmations of the exploit working, including Kevin Beaumont, who reported the exploit worked on WIndows 10 20H2 and WIndows 11.

Can confirm this works, local priv esc. Tested on Windows 10 20H2 and Windows 11.

The prior patch MS issued didn't fix the issue properly. https://t.co/OEdmtlMZvY
— Kevin Beaumont (@GossiTheDog) November 22, 2021

Kevin also added that the latest update breaks Windows Installer, which breaks Kaspersky AV, requiring further fixing. Cisco Talos has released new Snort rules (SIDs 58635 and 58636), which claim to protect Cisco Secure Firewall customers from being exploited.

In the News: Pegasus loses wings as Apple files lawsuit against NSO Group

Yadullah Abidi

Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars.

You can contact him here: [email protected]

Windows 11 and 10 left vulnerable after Microsoft’s latest patch fails

New patch, new problems

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. We're an ad-supported publication. So, if you're running an Adblocker, we humbly request you to whitelist us.

We may earn a commission if you buy something from a link on this page. Thanks for your support.

You can read our Ethics Statement here.

You can also support our Editorial Team here.

Read more from Candid.Technology

How to kick bots in CSGO? And how to kick yourself in CSGO?

What is the download limit on Spotify? Where is it available?

Microsoft Word DocX vs Doc file extension comparison

How to delete Internshala account?

Android spyware caught impersonating 2 VPN apps

Top 11 Rainmeter skins

What to do if you drop your phone in the water? Here are 4 ways to dry it

How to get service medals in CSGO?

Tech Made Simpler