New Windows Installer Zero-Day Exploit Is in the Wild

A recently disclosed Microsoft Windows Installer zero-day vulnerability is now being explored by malware creators. Publicly disclosed by security researcher Abdelhamid Naceri on a Github post last Sunday, the vulnerability allows for local privilege escalation from user-level privileges up to SYSTEM level - the highest security clearance possible. According to the security researcher, this exploit works in all supporting versions of Windows - including fully-patched Windows 11 and Windows Server 2022 installations. Before posting the exploit on GitHub, Naceri first disclosed it to Microsoft and worked with the company to analyze the vulnerability.

Microsoft introduced a mitigation for the CVE-2021-41379 zero-day exploit in November 2021's Patch Tuesday - but apparently failed to remediate the issue completely. Naceri then took to his GitHub post to provide a proof-of-concept exploit of the vulnerability that works even after Microsoft's mitigations were applied.

For the more technically-minded, Naceri's exploit leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service - this allows an attacker to replace any executable file on the system with an MSI file - and to run code as an administrator. BleepingComputer has tested Naceri's exploit and was able to open a command prompt with SYSTEM permissions from an account with low-level 'Standard' privileges.

Cybersecurity company Cisco Talos has provided a statement about the exploit, reporting that they've already seen instances of malware in the wild that are currently attempting to exploit the flaws. As Cisco Talos' Head of Outreach Nick Biasini told BleepingComputer, these exploitation attempts seem to be focused on testing and tweaking the exploits as preparation for larger-scale attacks.

Naceri explained that "the proof of concept is extremely reliable and doesn't require anything, so it works in every attempt." When it comes to mitigations, however, the researcher passes the ball to Microsoft: "The best workaround available at the time of writing this is to wait [for] Microsoft to release a security patch, due to the complexity of this vulnerability," explained Naceri.

The researcher also mentioned that his work in circumventing Microsoft's CVE-2021-41379 patch attempts resulted in him finding two possible exploits: the disclosed one which we're reporting on here, and a second one that also triggers a unique behavior in the Windows Installer Service and allows for the same sort of privilege escalation technique. Naceri did say that he'll be waiting for Microsoft to completely patch the CVE-2021-41379 vulnerability before releasing the second exploit method.

On the issue, a Microsoft spokesperson told BleepingComputer that "We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim's machine." And while Microsoft initially classified this vulnerability as medium-severity (with a base CVSS score of 5.5, and a temporal score of 4.8), the fact that functional proof-of-concept code is already out in the wild and being actively exploited by malware developers should bolster the severity of the vulnerability and prompt a faster, more decisive fix from Microsoft.