Attackers are actively making efforts to use a brand new variant of a lately disclosed privilege escalation vulnerability to doubtlessly execute arbitrary code on fully-patched techniques, as soon as once more demonstrating how adversaries transfer shortly to weaponize a publicly obtainable exploit.
Cisco Talos disclosed that it “detected malware samples within the wild which are trying to make the most of this vulnerability.”
Tracked as CVE-2021-41379 and found by safety researcher Abdelhamid Naceri, the elevation of privilege flaw affecting the Home windows Installer software program part was initially resolved as a part of Microsoft’s Patch Tuesday updates for November 2021.
Nevertheless, in what’s a case of an inadequate patch, Naceri discovered that it was not solely doable to bypass the repair applied by Microsoft but additionally obtain native privilege escalation through a newly found zero-day bug.
The proof-of-concept (PoC) exploit, dubbed “InstallerFileTakeOver,” works by overwriting the discretionary entry management checklist (DACL) for Microsoft Edge Elevation Service to interchange any executable file on the system with an MSI installer file, permitting an attacker to run code with SYSTEM privileges.
An attacker with admin privileges may then abuse the entry to realize full management over the compromised system, together with the flexibility to obtain further software program, and modify, delete, or exfiltrate delicate info saved within the machine.
“Can affirm this works, native priv esc. Examined on Home windows 10 20H2 and Home windows 11. The prior patch MS issued did not repair the problem correctly,” tweeted safety researcher Kevin Beaumont, corroborating the findings.
Naceri famous that the newest variant of CVE-2021-41379 is “extra highly effective than the unique one,” and that one of the best plan of action could be to attend for Microsoft to launch a safety patch for the issue “because of the complexity of this vulnerability.”
It isn’t precisely clear when Microsoft will act on the general public disclosure and launch a repair. We’ve got reached out to the corporate for remark, and we are going to replace the story if we hear again.