Microsoft’s patch for the previously discovered zero-day Windows installer exploit turns out to be inadequate. Attackers are already testing a proof-of-concept exploit discovered by security researcher Abdelhamid Naceri last Monday.
A Windows installer zero-day vulnerability (tracked as CVE-2021-41379) was discovered recently which Microsoft tried to patch this a couple of weeks ago as part of their November Patch Tuesday update. As it turns out, there’s a new zero-day bug that bypasses this patch entirely, works on all supported versions of Windows and gives attacker SYSTEM privileges.
Naceri had previously discovered the initial vulnerability as well and worked with Microsoft to implement a fix. The new exploit published on Monday works by leveraging the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace executable files on the system with MSI files that allow attackers to run code with admin privileges.
In the News: MediaTek powered phones are vulnerable to DSP bug
New patch, new problems
According to Microsoft’s notes on the flaw, attackers should only delete targeted files on the system. The company also rated the vulnerability as low on the Common Vulnerability Scoring System, but this new zero-day seems to be more effective and worrying.
Naceri’s exploit seems to work on fully patched versions of Windows 11, Windows 10 and Windows Server 2022. Using this exploit, attackers with limited access can elevate privileges and spread the malware laterally within a victim’s network.
According to Jaeson Schultz, technical leader for Cisco Talos, malware samples are out there trying to exploit the vulnerability. Additionally, other security researchers have also tweeted their confirmations of the exploit working, including Kevin Beaumont, who reported the exploit worked on WIndows 10 20H2 and WIndows 11.
Kevin also added that the latest update breaks Windows Installer, which breaks Kaspersky AV, requiring further fixing. Cisco Talos has released new Snort rules (SIDs 58635 and 58636), which claim to protect Cisco Secure Firewall customers from being exploited.