Cyber criminals are testing out a proof-of-concept malware that targets a zero-day escalation of privilege exploit in the Microsoft Windows Installer.
The flaw, which enables hackers with a limited user account to elevate their privileges to become an administrator, affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022.
Malware samples have already been detected in the wild that are attempting to take advantage of this vulnerability, according to a blog post by security researchers at Cisco Talos.
It was security researcher Abdelhamid Naceri who initially discovered this elevation of privilege vulnerability and worked with Microsoft to address it. Microsoft then released an update that was intended to fix CVE-2021-41379 on 9 November as part of its monthly security update.
However, the patch failed to fix the vulnerability, and Naceri published a proof-of-concept exploit code on GitHub on 22 Nov that still works despite the fixes implemented by Microsoft.
“The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator,” said Jaeson Schultz, technical leader for Cisco's Talos Security Intelligence & Research Group.
RELATED RESOURCE
Multi-factor authentication deployment guide
A complete guide to selecting and deploying your MFA authentication guide
According to a posting by Naceri on GitHub, the technique may not work on every installation, because windows installations, such as server 2016 and 2019, may not have the elevation service.
“I deliberately left the code which take over file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn't be in use. So you can elevate your privileges yourself,” he said.
Naceri added that the best workaround available at the time of writing this is to wait for Microsoft to release a security patch, due to the complexity of this vulnerability.
“Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again,” he said.
-
The threat prevention buyer's guideWhitepaper Find the best advanced and file-based threat protection solution for you
-
Supply chain as kill chainWhitepaper Security in the era Zero Trust
-
Microsoft under fire for “negligent” security practices in scathing critique by industry execNews Microsoft took more than 90 days to issue a partial fix for a critical Azure vulnerability, researchers found
-
Apple patches zero day linked to spyware campaignNews Kaspersky researchers were the first to report a zero day used in a sophisticated attack chain
-
MOVEit cyber attack: Cl0p sparks speculation that it’s lost control of hackNews The hackers return with their second major data-extortion attack of 2023, but may have bitten off more than they can chew
-
Microsoft says it knows who was behind cyber attacks on MOVEit TransferDozens of organizations may have already lost data to hackers exploiting the critical flaw
-
Trend Micro security predictions for 2023Whitepaper Prioritise cyber security strategies on capabilities rather than costs
-
Windows, macOS, and Tesla exploits debuted at Pwn2Own hacking contestNews Researchers took home more than $375,000 in winnings on the first day of the competition
