5play.ru / News / A zero-day vulnerability was discovered in the Windows Installer. Attackers are already trying to exploit it

A zero-day vulnerability was discovered in the Windows Installer. Attackers are already trying to exploit it

691
A zero-day vulnerability was discovered in the Windows Installer. Attackers are already trying to exploit it
Cybersecurity specialist Abdelhamid Naseri found a zero-day vulnerability. With its help, you can go to the privilege level from a regular user to the maximum allowable SYSTEM.

This error is present in current OS assemblies, including fully patched Windows 11 and Windows Server 2022. Before publishing data about his discovery, Naseri reported the error directly to the operating system developers, as a result of which a joint analysis of the error was carried out.

To solve the problem, Microsoft began distributing the CVE-2021-41379 update on November Tuesday patches, but this did not help. The futility of the company's efforts was confirmed by Naseri, sharing evidence of the vulnerability on GitHub after the update.

The malicious code snippet found uses selective access control tables (DACL) for the Microsoft Edge Elevation Service. It allows unscrupulous users to replace any executable file with an MSI file, and then run the code on behalf of the administrator. BleepingComputer tested this exploit, which resulted in a command prompt opening with SYSTEM permissions from an account with Standard capabilities.

Security firm Cisco Talos commented on the discovery of malware files on the network attempting to exploit the bug. Nick Biasini, head of the company's public relations department, said the vulnerability could be used to prepare for larger hacker attacks.

According to Naseri, we should wait for a full-fledged patch from Microsoft that will help deal with the problem. The specialist also says that after the update, he was looking for ways of a possible workaround and found two options, one of the coma and shared. The second method initiates a similar privilege escalation method through the Windows Installer Service. Naseri will tell about the details of this method when Microsoft releases a completely bug-fixing update.

Microsoft representatives, in turn, say that the company is working hard to fix the situation. They also note that in order to exploit the error, attackers need to provide themselves with access to the victim's target system with the ability to run code. In the classification of the company, the error is assessed as average with a CVSS score of 5.5 points.
Login or register to post comments

Comments 0

There are no comments yet, but you can be the one to add the very first comment!