Microsoft patch fails to fix Installer zero-day affecting every version of Windows
The exploit allows hackers to elevate privileges and create admin accounts


Cyber criminals are testing out a proof-of-concept malware that targets a zero-day escalation of privilege exploit in the Microsoft Windows Installer.
The flaw, which enables hackers with a limited user account to elevate their privileges to become an administrator, affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022.
Malware samples have already been detected in the wild that are attempting to take advantage of this vulnerability, according to a blog post by security researchers at Cisco Talos.
It was security researcher Abdelhamid Naceri who initially discovered this elevation of privilege vulnerability and worked with Microsoft to address it. Microsoft then released an update that was intended to fix CVE-2021-41379 on 9 November as part of its monthly security update.
However, the patch failed to fix the vulnerability, and Naceri published a proof-of-concept exploit code on GitHub on 22 Nov that still works despite the fixes implemented by Microsoft.
“The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator,” said Jaeson Schultz, technical leader for Cisco's Talos Security Intelligence & Research Group.
RELATED RESOURCE
Multi-factor authentication deployment guide
A complete guide to selecting and deploying your MFA authentication guide
According to a posting by Naceri on GitHub, the technique may not work on every installation, because windows installations, such as server 2016 and 2019, may not have the elevation service.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“I deliberately left the code which take over file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn't be in use. So you can elevate your privileges yourself,” he said.
Naceri added that the best workaround available at the time of writing this is to wait for Microsoft to release a security patch, due to the complexity of this vulnerability.
“Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again,” he said.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
The threat prevention buyer's guide
Whitepaper Find the best advanced and file-based threat protection solution for you
By ITPro
-
Supply chain as kill chain
Whitepaper Security in the era Zero Trust
By ITPro
-
Microsoft under fire for “negligent” security practices in scathing critique by industry exec
News Microsoft took more than 90 days to issue a partial fix for a critical Azure vulnerability, researchers found
By Ross Kelly
-
Apple patches zero day linked to spyware campaign
News Kaspersky researchers were the first to report a zero day used in a sophisticated attack chain
By Rory Bathgate
-
MOVEit cyber attack: Cl0p sparks speculation that it’s lost control of hack
News The hackers return with their second major data-extortion attack of 2023, but may have bitten off more than they can chew
By Connor Jones
-
Microsoft says it knows who was behind cyber attacks on MOVEit Transfer
Dozens of organizations may have already lost data to hackers exploiting the critical flaw
By Rory Bathgate
-
Trend Micro security predictions for 2023
Whitepaper Prioritise cyber security strategies on capabilities rather than costs
By ITPro
-
Windows, macOS, and Tesla exploits debuted at Pwn2Own hacking contest
News Researchers took home more than $375,000 in winnings on the first day of the competition
By Ross Kelly