Microsoft patch fails to fix Installer zero-day affecting every version of Windows

News
By published

The exploit allows hackers to elevate privileges and create admin accounts

A hand holding a magnifying glass reveals a red lock, unlocked among several blue locked locks

Cyber criminals are testing out a proof-of-concept malware that targets a zero-day escalation of privilege exploit in the Microsoft Windows Installer.

The flaw, which enables hackers with a limited user account to elevate their privileges to become an administrator, affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022.

Microsoft Windows Security review: Minimum effort Hackers exploit Windows zero-day to target users with Office files Microsoft makes second attempt to fix PrintNightmare flaw

Malware samples have already been detected in the wild that are attempting to take advantage of this vulnerability, according to a blog post by security researchers at Cisco Talos.

It was security researcher Abdelhamid Naceri who initially discovered this elevation of privilege vulnerability and worked with Microsoft to address it. Microsoft then released an update that was intended to fix CVE-2021-41379 on 9 November as part of its monthly security update.

However, the patch failed to fix the vulnerability, and Naceri published a proof-of-concept exploit code on GitHub on 22 Nov that still works despite the fixes implemented by Microsoft.

“The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator,” said Jaeson Schultz, technical leader for Cisco's Talos Security Intelligence & Research Group.

RELATED RESOURCE

Multi-factor authentication deployment guide

A complete guide to selecting and deploying your MFA authentication guide

FREE DOWNLOAD

According to a posting by Naceri on GitHub, the technique may not work on every installation, because windows installations, such as server 2016 and 2019, may not have the elevation service.

“I deliberately left the code which take over file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn't be in use. So you can elevate your privileges yourself,” he said.

Naceri added that the best workaround available at the time of writing this is to wait for Microsoft to release a security patch, due to the complexity of this vulnerability.

“Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again,” he said.

Rene Millman
Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.

Male software engineer working on a laptop at a home office desk with two PC monitors sitting on top of desk.

‘This shift highlights not just a continuation but a broad acceptance of remote work as the norm’: Software engineers are sticking with remote work and refusing to budge on RTO mandates – and 21% would quit if forced back to the office
Ransomware concept image showing a warning symbol in red with binary code in background.

Healthcare systems are rife with exploits — and ransomware gangs have noticed
Application security concept image showing a digitized padlock placed upon a digital platform.

ESET looks to ‘empower’ partners with cybersecurity portfolio updates
See more latest
Most Popular
Male software engineer working on a laptop at a home office desk with two PC monitors sitting on top of desk.
‘This shift highlights not just a continuation but a broad acceptance of remote work as the norm’: Software engineers are sticking with remote work and refusing to budge on RTO mandates – and 21% would quit if forced back to the office
Ransomware concept image showing a warning symbol in red with binary code in background.
Healthcare systems are rife with exploits — and ransomware gangs have noticed
Application security concept image showing a digitized padlock placed upon a digital platform.
ESET looks to ‘empower’ partners with cybersecurity portfolio updates
Databricks logo and branding pictured on a MacBook Pro screen.
Databricks and Anthropic are teaming up on agentic AI development – here’s what it means for customers
Dell Technologies logo and branding pictured at the company's stall at Mobile World Congress (MWC) in Barcelona, Spain.
Scale of Dell job cuts laid bare as firm sheds 10% of staff in a year
Male employee sitting at a desk working on a laptop with earphones in and books scattered on desk.
Employees want purpose, and they’re willing to quit to find it – upskilling, career growth, and work-life balance have shifted priorities for workers
NHS logo displayed on a smartphone screen in white lettering on a blue background.
NHS supplier hit with £3m fine for security failings that led to attack
OpenAI logo and branding pictured at Mobile World Congress 2024 in Barcelona, Spain.
OpenAI announces five-fold increase in bug bounty reward
Digital handshake concept with Hand shake between two businessmen with digital hand
SYSPRO appoints Josef Al-Sibaie to spearhead global expansion
ChatGPT logo and branding pictured in white coloring against a black backdrop.
DeepSeek and Anthropic have a long way to go to catch ChatGPT: OpenAI's flagship chatbot is still far and away the most popular AI tool in offices globally