Researchers are warning of malware samples in the wild that they say are attempting to take advantage of a recently disclosed zero-day flaw in Microsoft's Windows Installer software component.
The flaw allows an attacker with access to a limited user account to obtain administrator privileges. The issue stems from an insufficient patch of CVE-2021-41379, which was issued on Nov. 9 as part of Microsoft’s Patch Tuesday security updates. On Nov. 22, the researcher that originally discovered the flaw, Abdelhamid Naceri, released proof-of-concept (PoC) exploit code on GitHub. Naceri - and other security researchers - confirmed the exploit code worked despite the fix.
Microsoft initially ranked CVE-2021-41379 as a medium-severity flaw, with a CVSS base score of 5.5. In order to exploit this initial flaw, an attacker must already have access to the targeted system, and must be able to execute low-privilege code.
However, “the release of functional proof-of-concept exploit code will certainly drive additional abuse of this vulnerability,” said Jaeson Schultz, technical leader with Cisco Talos, in a Tuesday threat advisory. So far, three malware samples relating to the vulnerability have been discovered, with the first appearing on Nov. 21, he said.
This is a privilege escalation bug, so it could be added to an attacker's arsenal for escalation to admin privileges," Schultz said. "Based on the filenames associated with the samples, it appears that these malicious binaries were compiled by someone testing out the zero-day vulnerability. These could be either other security researchers experimenting with the proof-of-concept code, or it could be miscreants preparing for an attack.
Schultz said that as of the publication of the blog, there is no patch available from Microsoft. Microsoft did not respond to inquiries regarding a timeline for a potential fix.
With CVE-2021-41379, an attacker could abuse the Windows Installer service - Microsoft Windows’ component used for the installation, maintenance, and removal of software - by creating a junction. The PoC exploit code for the bypass of the patch, meanwhile, allows an attacker to overwrite the discretionary access control list (DACL) for Microsoft Edge Elevation Service, which identifies users that are allowed or denied access for various securable objects. This would allow a potential attacker to replace any executable file on the system with an MSI file, and run code as an administrator. The flaw impacts versions of Microsoft Windows, including Windows 11 and Server 2022, said researchers.
This flaw would let the attackers run code as an administrator on that system," said Schultz. "That could be used to download/install additional software, exfiltrate data from the compromised system, or even modify/delete data from the compromised system. Essentially they would have complete control.
This zero-day flaw is only the latest to afflict Microsoft products. The company earlier this month released patches for a remote code execution vulnerability in Exchange Server, which was being exploited in the wild. The important-severity flaw (CVE-2021-42321) stemmed from an improper validation of cmdlet arguments, which are commands used in the PowerShell environment. Researchers with Fortinet's FortiGuard Labs on Tuesday said that PoC exploit code has been released for this flaw. Microsoft also released fixes for an important-severity security feature bypass zero-day (CVE-2021-42292) in Microsoft Excel.