New Windows Installer Zero-Day Vulnerability

Risk:
high
Damage:
high
Platform(s):
Microsoft® Windows OS
Advisory ID:
ngCERT-2021-0061
Version:
N/A
CVE:
CVE-2021-41379
Published:
November 25, 2021

Summary


A security researcher discovered and reported a privilege escalation vulnerability in the Windows Installer software component, which was later fixed by Microsoft. The flaw not only allows for the bypass of Microsoft's previous fix, but it also allows for local privilege escalation via the newly discovered zero-day bug. As a result, attackers are actively attempting to exploit the newly disclosed variant of the disclosed vulnerability in order to potentially execute arbitrary code on fully patched systems.

Description & Consequence


This type of vulnerability involves gaining unauthorized access to elated rights or privileges that are not intended or entitled to. The "InstallerFileTakeOver" proof-of-concept (PoC) exploit replaces any executable file on the system with an MSI installer file by overwriting the discretionary access control list (DACL) for Microsoft Edge Elevation Service, allowing an attacker to run code with SYSTEM privileges. An attacker with administrative privileges could then exploit the vulnerability to gain complete control of the compromised system. SYSTEM privileges are the highest user rights available to a Windows user and make it possible to perform any operating system command.

If successfully exploited, the "InstallerFileTakeOver" POC:

  1. grants an actor administrative privileges in Windows 10, Windows 11, and Windows Server when logged into a Windows machine with Edge installed, allowing a threat actor to execute arbitrary code on compromised systems. 
  2. allows malicious actors download and install additional malicious software, modify, delete, or exfiltrate sensitive information stored in the machine.

Solution


The following are necessary:

  1. Since the latest variant of CVE-2021-41379 is more powerful than the original one, it is advised that users wait for Microsoft to release a security patch for the problem due to the complexity of this vulnerability.
  2. Ensure regular system and browser update.
  3. Watch out and apply the patches immediately it is released by Microsoft.
  4. Report any incident of system compromise to ngCERT on incident@cert.gov.ng for technical assistance.

Reference


  1. https://thehackernews.com/2021/11/warning-hackers-exploiting-new-windows.html   
  2. https://threatpost.com/attackers-target-windows-installer-bug/176558/ 
  3. ttps://www.bleepingcomputer.com/news/security/malware-now-trying-to-exploit-new-windows-installer-zero-day/

Revision


Related Articles