New zero-day vulnerability in Windows Installer affects all versions of Microsoft's OS

jsilva

Posts: 270   +1
Staff
In brief: Computer security group Cisco Talos has found a new vulnerability that affects every Windows version to date, including Windows 11 and Server 2022. The vulnerability exists in the Windows Installer and allows hackers to elevate their privileges to become an administrator.

The discovery of this vulnerability led the Cisco Talos group to update its Snort rules, which consists of rules to detect attacks targeting a list of vulnerabilities. The updated list of rules includes the zero-day elevation of privilege vulnerability, as well as new and modified rules for emerging threats from browsers, operating systems and network protocols, among others.

Exploiting this vulnerability allows hackers with limited user access to elevate their privileges, acting as an administrator of the system. The security firm has already found malware samples out on the Internet, so there's a good chance someone already fell victim to it.

The vulnerability had been previously reported to Microsoft by Abdelhamid Naceri, a security researcher at Microsoft, and was supposedly patched with the fix CVE-2021-41379 on November 9. However, the patch didn't seem to be enough to fix the issue, as the problem persists, leading Naceri to publish the proof-of-concept on GitHub.

In simple terms, the proof-of-concept shows how a hacker can replace any executable file on the system with an MSI file using the discretionary access control list (DACL) for Microsoft Edge Elevation Service.

Microsoft rated the vulnerability as "medium severity," with a base CVSS (Common Vulnerability scoring system) score of 5.5 and a temporal score of 4.8. Now that a functional proof-of-concept exploit code is available, others could try to further abuse it, possibly increasing these scores. At the moment, Microsoft has yet to issue a new update to mitigate the vulnerability.

Naceri seems to have tried to patch the binary himself, but with no success. Until Microsoft patches the vulnerability, the Cisco Talos group recommends those using a Cisco secure firewall to update their rules set with Snort rules 58635 and 58636 to keep users protected from the exploit.

Permalink to story.

 

psycros

Posts: 3,814   +4,943
"In simple terms, the proof-of-concept shows how a hacker can replace any executable file on the system with an MSI file using the discretionary access control list (DACL) for Microsoft Edge Elevation Service."

You gotta be kidding. This type of attack has been possible for well over a decade and I thought sure it has been patched globally across the system.
 

captaincranky

Posts: 18,013   +6,818
According to the description, it seems the workaround is to simply install Windows from a DVD, while offline.

I know, I know, that's too old fashioned and too slow. So then, be prepared to welcome your new "co-administrator" into the fold. :rolleyes:.
 

Ben Myers

Posts: 166   +67
The workaround is to install Windows from a DVD or USB stick. You know, this fits perfectly as the only possible approach when Windows is so badly hosed that your only recourse is to install Windows 10 from scratch. Had to do that for a client recently, saving over 100GB of his data temporarily on an external SSD, installing a clean Windows 10 and putting his data back. So after how many years and Microsoft still can't get installs and updates right? No excuse, Satya.
 

Gezzer

Posts: 198   +99
Is this an important find? Yes. Does it effect everyone to the point where we need to be freaking out? Not at all. Like many exploits in most cases it requires physical access to the system to work.

"Exploiting this vulnerability allows hackers with limited user access to elevate their privileges"

Does the above mean that there's no way to remotely use the hack? I'm sure that there is a way, but it would require an already compromised system. And in that case there are a number of ways to elevate privileges besides this one.

So again it simply means users have to use safe computer security practices at all times or suffer the results.