Warning — Hackers Exploiting New Home windows Installer Zero-Day Exploit within the Wild

Attackers are actively making efforts to take advantage of a brand new variant of a not too long ago disclosed privilege escalation vulnerability to doubtlessly execute arbitrary code on fully-patched methods, as soon as once more demonstrating how adversaries transfer shortly to weaponize a publicly out there exploit.

Cisco Talos disclosed that it “detected malware samples within the wild which can be making an attempt to reap the benefits of this vulnerability.”

Tracked as CVE-2021-41379 and found by safety researcher Abdelhamid Naceri, the elevation of privilege flaw affecting the Home windows Installer software program element was initially resolved as a part of Microsoft’s Patch Tuesday updates for November 2021.

Automatic GitHub Backups

Nevertheless, in what’s a case of an inadequate patch, Naceri discovered that it was not solely doable to bypass the repair carried out by Microsoft but additionally achieve native privilege escalation through a newly found zero-day bug.

The proof-of-concept (PoC) exploit, dubbed “InstallerFileTakeOver,” works by overwriting the discretionary entry management record (DACL) for Microsoft Edge Elevation Service to interchange any executable file on the system with an MSI installer file, permitting an attacker to run code with SYSTEM privileges.

An attacker with admin privileges might then abuse the entry to achieve full management over the compromised system, together with the flexibility to obtain further software program, and modify, delete, or exfiltrate delicate info saved within the machine.

Prevent Data Breaches

“Can affirm this works, native priv esc. Examined on Home windows 10 20H2 and Home windows 11. The prior patch MS issued did not repair the difficulty correctly,” tweeted safety researcher Kevin Beaumont, corroborating the findings.

Naceri famous that the newest variant of CVE-2021-41379 is “extra highly effective than the unique one,” and that one of the best plan of action can be to attend for Microsoft to launch a safety patch for the issue “because of the complexity of this vulnerability.”

It is not precisely clear when Microsoft will act on the general public disclosure and launch a repair. We’ve reached out to the corporate for remark, and we are going to replace the story if we hear again.

Source link