Skip to content

Windows 11 and 10 left vulnerable after Microsoft’s latest patch fails

Microsoft’s patch for the previously discovered zero-day Windows installer exploit turns out to be inadequate. Attackers are already testing a proof-of-concept exploit discovered by security researcher Abdelhamid Naceri last Monday. 

A Windows installer zero-day vulnerability (tracked as CVE-2021-41379) was discovered recently which Microsoft tried to patch this a couple of weeks ago as part of their November Patch Tuesday update. As it turns out, there’s a new zero-day bug that bypasses this patch entirely, works on all supported versions of Windows and gives attacker SYSTEM privileges. 

Naceri had previously discovered the initial vulnerability as well and worked with Microsoft to implement a fix. The new exploit published on Monday works by leveraging the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace executable files on the system with MSI files that allow attackers to run code with admin privileges. 

In the News: MediaTek powered phones are vulnerable to DSP bug


New patch, new problems

According to Microsoft’s notes on the flaw, attackers should only delete targeted files on the system. The company also rated the vulnerability as low on the Common Vulnerability Scoring System, but this new zero-day seems to be more effective and worrying. 

Naceri’s exploit seems to work on fully patched versions of Windows 11, Windows 10 and Windows Server 2022. Using this exploit, attackers with limited access can elevate privileges and spread the malware laterally within a victim’s network. 

According to Jaeson Schultz, technical leader for Cisco Talos, malware samples are out there trying to exploit the vulnerability. Additionally, other security researchers have also tweeted their confirmations of the exploit working, including Kevin Beaumont, who reported the exploit worked on WIndows 10 20H2 and WIndows 11. 

Kevin also added that the latest update breaks Windows Installer, which breaks Kaspersky AV, requiring further fixing. Cisco Talos has released new Snort rules (SIDs 58635 and 58636), which claim to protect Cisco Secure Firewall customers from being exploited. 

In the News: Pegasus loses wings as Apple files lawsuit against NSO Group

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. We're an ad-supported publication. So, if you're running an Adblocker, we humbly request you to whitelist us.

Share on facebook
Share on whatsapp
Share on twitter
Share on reddit
Share on linkedin
Share on pocket
Share on pinterest
Share on telegram
Share on stumbleupon
Share on digg
Share on tumblr
Share on email
Share on skype
Share on xing
Share on vk
Share on odnoklassniki
Share on mix








>