Cyber-Security-Lock-Pixabay

Cisco’s security research division has released a report that offers details on the Windows Installer zero-day that is now being exploited in the wild. Yesterday we reported on how the bug was found when checking a broken fix Microsoft rolled out for Windows Installer. The vulnerability affects Windows Server, Windows 10, and Windows 11.

Cisco Talos Security Intelligence & Research Group backed up the work done by Abdelhamid Naceri, who found the flaw. Essentially, Microsoft considered the bug CVE-2021-41379 as a low-level threat because it did not provide escalating privileges to users. The company rolled out a fix during November 2021 Patch Tuesday updates.

Naceri found that it was possible to bypass the fix and that indeed the bug does allow escalation of privileges, making it more dangerous than first though. He developed a proof of concept (POC) called InstallerFileTakeOver, which has now been tested by Cisco Talos Security.

Advertisement

According to the security research team, the POC works and the flaw is legitimate. In fact, threat actors have already been exploiting the Windows Installer flaw. Cisco points out the vulnerability affects all supported Windows versions, including the newer Windows 11.

Attack Method

Cisco Talos points out attackers can use the flaw to exploit Windows Installer and change any executable file with their own malware. This will allow them to run code on the machine that escalates privileges.

Microsoft says it knows of the bug but does not say when a fix will be released. Naceri says he decided to make the POC public because Microsoft is no longer offering high enough bounties for finding such bugs.

Tip of the day: Need to create an ad-hoc network from your PC? In our tutorial we show you how to easily create a shareable wireless internet connection in Windows as a free WIFI hotspot.

Advertisement