Malware now tries to exploit Windows Installer new zero-day program

Malware now tries to exploit Windows Installer new zero-day program

Malware creators have already started testing a proof of concept exploit targeting a new Microsoft Windows Installer day zero publicly disclosed by security researcher Abdelhamid Naceri over the weekend.

“Talos has already detected malware samples in the wild that attempt to take advantage of this vulnerability” noted Jaeson Schultz, Technical Manager of Cisco’s Talos Security Intelligence & Research Group.

However, as Cisco Talos outreach manager Nick Biasini told BleepingComputer, these exploit attempts are part of low-volume attacks likely focused on testing and tuning exploits for campaigns. in its own right.

“During our investigation, we looked at recent malware samples and were able to identify several that were already attempting to exploit the exploit,” Biasini told BleepingComputer.

“Since the volume is low, these are probably people working with proof of concept code or testing for future campaigns. This is just further proof of how quickly adversaries are working to arm an accessible exploit. to the public.”

Zero-day bypass Windows Installer patch

The vulnerability in question is a local elevation of privilege bug found as a workaround of a patch released by Microsoft during the November 2021 Patch Tuesday to correct a flaw identified as CVE-2021-41379.

On Sunday, Naceri posted a functional proof of concept feat for this new zero-day, saying it works on all supported versions of Windows.

If successfully exploited, this workaround gives attackers SYSTEM privileges on up-to-date devices running the latest versions of Windows, including Windows 10, Windows 11, and Windows Server 2022.

SYSTEM privileges are the highest user rights available to a Windows user and allow the execution of any operating system command.

By exploiting this zero day, attackers with limited access to compromised systems can easily elevate their privileges to help spread laterally within a victim’s network.

BleepingComputer tested the Naceri exploit and used it to successfully open a command prompt with SYSTEM permissions from an account with low level “Standard” privileges.

“The best workaround available at the time of writing is to wait for Microsoft to release a security patch, due to the complexity of this vulnerability,” Naceri explained.

“Any attempt to patch the binary directly will damage the Windows installer. So you better wait and see how Microsoft will screw the patch again.”

“We are aware of the disclosure and will do whatever is necessary to ensure the safety and protection of our customers. An attacker using the methods described must already have access and the ability to execute code on a victim’s machine. target, “a Microsoft spokesperson told BleepingComputer when asked for more details regarding this vulnerability.


Please enter your comment!
Please enter your name here

Trending this Week