New Windows Installer zero-day exploit abused by hackers

Researchers document the tough elevation-of-privilege flaw permitting arbitrary code execution on fully-patched techniques

(*1*)Microsft launched an replace to mend the flaw however the patch used to be now not enough

Attackers making makes an attempt to milk the most important safety vulnerability, researchers document. The tough model of the zero-day flaw for which Microsoft launched a patch previous this month will also be actively used.(*6*)[1] Safety hollow used to be now not correctly fastened with the replace. The vulnerability probably results in arbitrary code execution on techniques that gained the patch.(*3*)[2]

Sadly, it displays how briefly publicly to be had exploiters can get weaponized and the way main zero-day flaws are.(*8*)[3] The hot safety warnings and assault reviews display that zero-day flaw execution may cause actual injury and havoc on techniques and networks associated with main establishments and organizations, companies. The code execution at the compromised machine can result in information exfiltration or malware deployment.

The problem used to be detected as malware samples were given found out within the wild used within the campaigns making an attempt to make use of this flaw to attackers’ benefit. The flaw tracked as CVE-2021-41379[4] used to be reported through Abdelhamid Naceri. The patch for the privilege elevation flaw affecting the Home windows Installer device element must had been resolved, however the patch used to be now not running. Researchers printed that it’s nonetheless imaginable to avoid the repair and succeed in native privilege escalation the usage of the zero-day worm.

Inadequate patch for the protection

The November ninth patch didn’t repair the protection factor since the researcher discovered the bypass additionally a zero-day privilege elevation worm. The proof-of-concept exploit confirmed that the problem will also be exploited on each currently-supported Home windows model. If the worm will get used, hackers can get administrative privileges at the device working Home windows 10, Home windows 11, or Home windows Server as soon as logged onto the instrument that has Edge put in.(*5*)[5]

The ranking of this flaw is low in severity, however attackers can nonetheless delete recordsdata at the device, alter any content material and look at information if the flaw will get exploited. However the CVE-2021-41379 flaw found out moreover to this bypass of the patch displays extra complex problems than the unique flaw:

  • attackers can run code with administrator rights;
  • exchange any executable recordsdata the usage of MSI document;
  • release instructions;
  • download or set up device;
  • exfiltrate information from compromised techniques;
  • get admission to/delete/alter recordsdata.

Energetic assaults and exploitation showed

The affirmation of imaginable exploitation additionally confirmed that attackers had been already the usage of the worm to benefit from the assault chances. Some further reviews display that POC – InstallerFileTakeOver(*4*)[6] purposes can ship the native privilege escalation and different researchers examined the problem on Home windows 10 and Home windows 11.


This vulnerability impacts each model of Microsoft Home windows, together with solely patched Home windows 11 and Server 2022. Talos has already detected malware samples within the wild which can be making an attempt to benefit from this vulnerability.

Sadly, despite the fact that Microsoft is acutely aware of the invention, not anything will also be finished now. The most suitable choice, presently, is to watch for the correct replace from Microsoft that patches the problem appropriately. Some other makes an attempt may cause problems with the efficiency, information, and even cave in the Home windows installer. The second one time will expectantly achieve success. It’s not reported formally when the movements might be taken and the repair launched.