Hackers have already created malware in a bid to exploit an elevation of privilege vulnerability in Microsoft’s Windows Installer.
Microsoft released a patch for CVE-2021-41379, an elevation of privilege flaw in the Windows Installer component for enterprise application deployment. It had an “important” rating and a severity score of just 5.5 out of 10.
It wasn’t actively being exploited at the time, but it is now, according to Cisco’s Talos malware researchers. And Cisco reports that the bug can be exploited even on systems with the November patch to give an attacker administrator-level privileges.
This, however, contradicts Microsoft’s assessment that an attacker would only be able to delete targeted files on a system and would not gain privileges to view or modify file contents.
“This vulnerability allows an attacker with a limited user account to elevate their privileges to become an administrator,” explains Jaeson Schultz at Cisco Talos.
“This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability.”
Abdelhamid Naceri, the researcher who reported CVE-2021-41379 to Microsoft, tested patched systems and on November 22 published proof-of-concept exploit code on GitHub, which shows that it works despite Microsoft’s fixes. It also works on Server versions of affected Windows, including Windows Server 2022.
“The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator,” writes Cisco’s Shultz.
He adds that this “functional proof-of-concept exploit code will certainly drive additional abuse of this vulnerability.”
Naceri says there is no workaround for this bug other than another patch from Microsoft.
“Due to the complexity of this vulnerability, any attempt to patch the binary directly will break Windows Installer. So you’d better wait and see how/if Microsoft will screw the patch up again,” Naceri said. Microsoft is yet to acknowledge Naceri’s new proof of concept and has not yet said whether it will issue a patch for it.