Register now for better personalized quote!

Hackers are targeting this Microsoft Windows Installer flaw, say security researchers

Nov, 26, 2021 Hi-network.com

Hackers have already created malware in a bid to exploit an elevation of privilege vulnerability in Microsoft's Windows Installer.

Microsoft released a patch for CVE-2021-41379, an elevation of privilege flaw in the Windows Installer component for enterprise application deployment. It had an "important" rating and a severity score of just 5.5 out of 10. 

Windows 11

  • How to install Android apps on Windows 11
  • The best Windows laptops: Top notebooks, 2-in-1s, and ultraportables
  • How to recover deleted files in Windows 10 or 11
  • I hate Windows 11. How can I make it work more like Windows 10?

It wasn't actively being exploited at the time, but it is now, according to Cisco's Talos malware researchers. Cisco reports that the bug can be exploited even on systems with the November patch to give an attacker administrator-level privileges. 

SEE:Windows 11 FAQ: Our upgrade guide and everything else you need to know

This, however, contradicts Microsoft's assessment that an attacker would only be able to delete targeted files on a system and would not gain privileges to view or modify file contents.

"This vulnerability allows an attacker with a limited user account to elevate their privileges to become an administrator," explained Jaeson Schultz at Cisco Talos. 

"This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability."

Abdelhamid Naceri, the researcher who reported CVE-2021-41379 to Microsoft, tested patched systems and on November 22 published proof-of-concept exploit code on GitHub, which shows that it works despite Microsoft's fixes. It also works on Server versions of affected Windows, including Windows Server 2022. 

"The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator," wrote Cisco's Shultz.

SEE:Dark web crooks are now teaching courses on how to build botnets

He added that this "functional proof-of-concept exploit code will certainly drive additional abuse of this vulnerability." 

Naceri said there is no workaround for this bug other than another patch from Microsoft. 

"Due to the complexity of this vulnerability, any attempt to patch the binary directly will break Windows Installer. So you'd better wait and see how/if Microsoft will screw the patch up again," Naceri said. Microsoft is yet to acknowledge Naceri's new proof of concept and has not yet said whether it will issue a patch for it. 

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.