Looking for:
Malware now trying to exploit new Windows Installer zero-day.
The researcher observed that the bug was not properly fixed and could be bypassed to gain elevated privileges of an administrator. When the attacker is able to successfully bypass the fix, any normal user account attacker will be able to elevate his privileges to become an administrator.
Also, he could successfully replace any executable file on the system with an MSI file. As a result, it was possible for him to run any code on the system with administrative privileges. According to him, this can be executed in any supported windows versions that are fully patched. Further, it can replace any executable file on the system with an MSI file, allowing an attacker to run any code as an administrator. The best workaround available at the time of writing this is to wait Microsoft to release a security patch, due to the complexity of this vulnerability.
Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again. Final note, while I was working on CVE patch bypass. I was successfuly able to product 2 msi packages, each of them trigger a unique behaviour in windows installer service.
One of them is the bypass of CVE and this one. On November 22, , security researcher Abdelhamid Naceri released a fully-functional proof-of-concept PoC exploit for the new Windows Installer zero-day vulnerability. The vulnerability in question is a Windows Installer elevation of privilege EoP bug initially patched by Microsoft in November Yet, the bug was not fixed properly, which allowed Abdelhamid Naceri, the researcher who revealed the issue, to find a way to overcome the protections.
What is worse, during his investigation, Naceri discovered a much more severe EoP glitch that affects all currently supported Windows versions. If exploited, the PoC allows hackers to reach admin privileges when logged into a Windows machine with Edge installed. As a result, an adversary can run any malicious code as an administrator. According to the Bleeping Computer commentary , Naceri decided to release the proof-of-concept exploit for CVE to protest against significantly decreased bug bounty rewards by Microsoft.
And threat actors are taking advantage of this. Register NOW to access the on-demand event! Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels. Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.
An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack. Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. Sponsored Content is paid for by an advertiser.
Sponsored content is written and edited by members of our sponsor community.
Windows Installer vulnerability becomes actively exploited zero-day.
In brief: Computer security group Cisco Talos has found a new vulnerability that affects every Windows version to date, including Windows 11 and Server The vulnerability exists in the Windows Installer and allows hackers to elevate their privileges to become an administrator. The discovery of this vulnerability led the Cisco Talos group to update its Snort rules , which consists of rules to detect attacks targeting a list of vulnerabilities.
The updated list of rules includes the zero-day elevation of privilege vulnerability, as well as new and modified rules for emerging threats from browsers, operating systems and network protocols, among others.
Exploiting this vulnerability allows hackers with limited user access to elevate their privileges, acting as an administrator of the system. The security firm has already found malware samples out on the Internet, so there’s a good chance someone already fell victim to it. The vulnerability had been previously reported to Microsoft by Abdelhamid Naceri, a security researcher at Microsoft, and was supposedly patched with the fix CVE on November 9.
However, the patch didn’t seem to be enough to fix the issue, as the problem persists, leading Naceri to publish the proof-of-concept on GitHub. In simple terms, the proof-of-concept shows how a hacker can replace any executable file on the system with an MSI file using the discretionary access control list DACL for Microsoft Edge Elevation Service. Microsoft rated the vulnerability as “medium severity,” with a base CVSS Common Vulnerability scoring system score of 5.
Now that a functional proof-of-concept exploit code is available, others could try to further abuse it, possibly increasing these scores. At the moment, Microsoft has yet to issue a new update to mitigate the vulnerability. Naceri seems to have tried to patch the binary himself, but with no success. Until Microsoft patches the vulnerability, the Cisco Talos group recommends those using a Cisco secure firewall to update their rules set with Snort rules and to keep users protected from the exploit.
Proof-of-concept in action In simple terms, the proof-of-concept shows how a hacker can replace any executable file on the system with an MSI file using the discretionary access control list DACL for Microsoft Edge Elevation Service. Load Comments 7. User Comments: 7. Recently commented stories Jump to forum mode. Add your comment to this article. You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account Sign up for free , it takes 30 seconds. Already have an account? Login now.
Windows Installer Zero-Day | FortiGuard – About the Zero-Day vulnerability:
As we are aware, the security researcher Abdelhamid Naceri discovered and reported this vulnerability. But surprisingly, recently he also found that the fix released by Microsoft can be bypassed and leveraged to achieve local privilege escalation. Cisco Talos stated that it has already detected malware samples that are actively attempting to take advantage of this newly discovered Zero-Day bug. The earlier patched vulnerability had the ability to delete the targeted files on a system but not gain any privileges to modify or view the file contents.
But this Zero-Day flaw is considered to be more powerful compared to it, as this can be used to replace any executable in the system with an MSI file and can even allow attackers to run any code as an administrator.
The researcher observed that the bug was not properly fixed and could be bypassed to gain elevated privileges of an administrator. When the attacker is able to successfully bypass the fix, any normal user account attacker will be able to elevate his privileges to become an administrator. Also, he could successfully replace any executable file on the system with an MSI file. As a result, it was possible for him to run any code on the system with administrative privileges.
According to him, this can be executed in any supported windows versions that are fully patched. Further, it can replace any executable file on the system with an MSI file, allowing an attacker to run any code as an administrator. Successful exploitation of this Zero-Day vulnerability allows an attacker to abuse the access gained to fully take over the compromised system, download any software, delete, modify or obtain any sensitive information stored in the machine.
This vulnerability affects every supported fully patched version of Microsoft Windows including November Patch Tuesday updates installed.
As of the publication of this blog, Microsoft has not released any patch for this vulnerability, and no other fix information is found. There is no known workaround available due to the complexity of this vulnerability as patching the binary would break Windows Installer.
Microsoft is aware of the issue and is expected to patch the issue soon by releasing a security update. We are tracking this issue for any updates and would religiously update the information once available. Skip to content. Credits: thehackernews Impact Successful exploitation of this Zero-Day vulnerability allows an attacker to abuse the access gained to fully take over the compromised system, download any software, delete, modify or obtain any sensitive information stored in the machine.
Affected version This vulnerability affects every supported fully patched version of Microsoft Windows including November Patch Tuesday updates installed. Solution As of the publication of this blog, Microsoft has not released any patch for this vulnerability, and no other fix information is found. Notify of. Inline Feedbacks. Would love your thoughts, please comment.