New Windows Installer zero-day exploit abused by hackers

Researchers report the powerful elevation-of-privilege flaw allowing arbitrary code execution on fully-patched systems

Microsft released an update to fix the flaw but the patch was not sufficient

Attackers making attempts to exploit the major security vulnerability, researchers report. The powerful version of the zero-day flaw for which Microsoft released a patch earlier this month can be actively used.^[1] Security hole was not properly fixed with the update. The vulnerability potentially leads to arbitrary code execution on systems that received the patch.^[2]

Unfortunately, it shows how quickly publicly available exploiters can get weaponized and how major zero-day flaws are.^[3] The recent security warnings and attack reports show that zero-day flaw execution can cause real damage and havoc on systems and networks related to major institutions and organizations, businesses. The code execution on the compromised system can lead to data exfiltration or malware deployment.

The issue was detected as malware samples got discovered in the wild used in the campaigns attempting to use this flaw to attackers' advantage. The flaw tracked as CVE-2021-41379^[4] was reported by Abdelhamid Naceri. The patch for the privilege elevation flaw affecting the Windows Installer software component should have been resolved, but the patch was not working. Researchers revealed that it is still possible to bypass the fix and achieve local privilege escalation using the zero-day bug.

Insufficient patch for the security

The November 9th patch did not fix the security issue because the researcher found the bypass also a zero-day privilege elevation bug. The proof-of-concept exploit showed that the issue can be exploited on every currently-supported Windows version. If the bug gets used, hackers can get administrative privileges on the machine running Windows 10, Windows 11, or Windows Server once logged onto the device that has Edge installed.^[5]

The rating of this flaw is low in severity, but attackers can still delete files on the machine, modify any content and view data if the flaw gets exploited. But the CVE-2021-41379 flaw discovered additionally to this bypass of the patch shows more advanced issues than the original flaw:

• attackers can run code with administrator rights;
• replace any executable files using MSI file;
• launch commands;
• download or install software;
• exfiltrate data from compromised systems;
• access/delete/modify files.

Active attacks and exploitation confirmed

The confirmation of possible exploitation also showed that attackers were already using the bug to take advantage of the attack possibilities. Some additional reports show that POC – InstallerFileTakeOver^[6] functions can deliver the local privilege escalation and other researchers tested the issue on Windows 10 and Windows 11.

This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability.

Unfortunately, even though Microsoft is aware of the discovery, nothing can be done now. The best option, at this time, is to wait for the proper update from Microsoft that patches the issue correctly. Any other attempts can cause issues with the performance, data, or even collapse the Windows installer. The second time will hopefully be successful. It is not reported officially when the actions could be taken and the fix released.