Talos Security Intelligence & Research Group has released a new report outlining the discovery of a zero-day attack that affects all versions of Windows, including recently updated Windows 11 computers. According to the researchers, this attack is an “elevation of privilege vulnerability” that affects Windows Installer, who also points out that malware targeting this vulnerability is already in circulation.
According to Cisco Talos, the zero-day vulnerability affects “any version” of Windows, including Windows Server 2022 and Windows 11 computers with all security patches installed. The team claims that the remedy issued with Microsoft’s November 9 monthly security update failed to address the previously discovered CVE-2021-41379 elevation of privilege vulnerability adequately.
Security researcher Abdelhamid Naceri first found the flaw. Earlier this week (through GitHub) produced a new proof of concept demonstrating that Windows Installer may still be abused despite the security fix. According to Talos, bad actors can use the vulnerability to replace any existing executable file with their own MSI, allowing them to run their malware with elevated rights on the victim’s PC.
I mean this is still unpatched and allow LPE if shadow volume copies are enabled;
But I noticed that it doesn't work on windows 11 https://t.co/HJcZ6ew8PO
— Abdelhamid Naceri (@KLINIX5) November 15, 2021
As a result, this new vulnerability could be more dangerous than the one Microsoft tried to patch earlier this month. The first flaw allowed someone with a limited Windows account to gain administrator capabilities and remove files from a computer; however, the invader could not edit or see any of the system’s existing files.
The disclosed proof-of-concept code, according to Talos, “will almost probably encourage additional abuse of this vulnerability.” The researchers didn’t go into detail about the malware they discovered in the wild that targets this vulnerability, just saying that they “are attempting to exploit this issue.”
It's really unfortunate how the issue cannot be mitigated without a patch from Microsoft.
I have attempted to mitigate the issue by prohibiting rollback in group policy.
However, the result was just worse. The installer ignored the flag and made the bug easier to exploit. https://t.co/Tz1HHs5eS7 pic.twitter.com/iWXKTNslOA
— Abdelhamid Naceri (@KLINIX5) November 24, 2021
Unfortunately, Microsoft has yet to release a security fix to address the zero-day vulnerability. If this vulnerability hasn’t been actively exploited yet, the security firm believes it’ll only be a matter of time until hostile actors take advantage of it. This, of course, raises issues about why Naceri chose to disclose the attack code rather than warn Microsoft and wait for a repair.
The folks over at Bleeping Computer had the same question and received a response from Naceri. According to the security researcher, Microsoft’s reduced bug bounty payouts were the reason for his decision to reveal the discovery. Even though Microsoft is aware of the problem, the new bug fix has yet to be released. If the previous discovery is any indicator, the update will likely be released on Patch Tuesday, which falls on the second Tuesday of each month.
Source: github | bleepingcomputer | msrc.microsoft | talosintelligence