Malware now trying to exploit new Windows Installer zero-day

Malware now trying to exploit new Windows Installer zero-day

Creators of malware have already begun testing a proof-of-concept exploitation targeting a new Microsoft Windows Installer zero-day, which was released by security researcher Abdelhamid Naceri over the weekend.

“Talos has already detected malware samples in the wild trying to take advantage of this vulnerability,” said Jaeson Schultz, technical director of the Cisco Talos Security Intelligence & Research Group.

But as Cisco Talos’ Outreach Manager Nick Biasini told BleepingComputer, these exploitation attempts are part of low-volume attacks that are likely to focus on testing and adjusting exploits for complete campaigns.

“During our investigation, we looked at recent malware samples and were able to identify several who were already trying to exploit the exploit,” Biasini told BleepingComputer.

“Since the volume is low, it’s probably people working on the proof of concept code or testing for future campaigns. This is just more proof of how quickly opponents are working to arm a publicly available exploit.”

Zero-day bypasses the Windows Installer patch

That vulnerability is a local privilege bug found as a bypass to a patch that Microsoft released during Patch Tuesday in November 2021 to resolve an error that was tracked as CVE-2021-41379.

On Sunday, Naceri announced a working proof-of-concept exploit for this new zero-day, saying it works on all supported versions of Windows.

If used successfully, this bypass gives attackers SYSTEM privileges on updated devices running the latest Windows releases, including Windows 10, Windows 11, and Windows Server 2022.

SYSTEM privileges are the highest user privileges available to a Windows user and allow you to execute any operating system command.

By exploiting this zero-day, attackers with limited access to compromised systems can easily elevate their privileges to help spread sideways within a victim’s network.

BleepingComputer has tested Naceri’s exploit and used it to open a command prompt with SYSTEM permissions from an account with low-level ‘Standard’ privileges.

“The best solution available at the time of writing is to wait for Microsoft to release a security patch due to the complexity of this vulnerability,” Naceri explained.

“Any attempt to patch the binary program directly will corrupt the Windows Installer. So you better wait and see how Microsoft screws the patch again.”

“We are aware of the publication and will do what is necessary to keep our customers safe and secure. An attacker using the methods described must already have access and the ability to run code on a target victim’s machine,” said one spokesman from Microsoft to BleepingComputer, when asked for more details about this vulnerability.


Please enter your comment!
Please enter your name here