Attackers exploit Windows Installer zero-day vulnerability (CVE-2021-41379)

Attackers exploit Windows Installer zero-day vulnerability (CVE-2021-41379)

Bad actors have been exploiting a previously patched Windows Installer zero-day privileged escalation vulnerability.

The Windows Installer vulnerability CVE-2021-41379 could allow an attacker to elevate their privileges to become an administrator by using just a normal user account.

Although Microsoft issued a patch earlier this month as part of November security updates, researcher Abdelhamid Naceri found the patch was not sufficient to fix the vulnerability. Naceri subsequently published proof-of-concept (PoC) exploit code on GitHub on Nov. 22.

“While group policy by default doesn’t allow standard users to do any msi operation. The administrative install feature thing seems to be completely bypassing group policy,” Naceri wrote in the GitHub post.

The issue impacts every version of Windows, to include Windows 11 and Server 2022.

Moreover, the Cisco Talos cybersecurity team detected malware samples already abusing the vulnerability.

“The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator,” Talos wrote in the blog post.

On a related note, readers may remember back in 2018 when attackers exploited another Windows Installer vulnerability CVE-2017-11882 to delivery LokiBot malware.

Related Articles