Attackers Actively Target Windows Installer Zero-Day

Researcher discovered a “more powerful” variant of an elevation-of-privilege flaw for which Microsoft released a botched patch earlier this month.

Attackers are actively exploiting a Windows Installer zero-day vulnerability that was discovered when a patch Microsoft issued for another security hole inadequately fixed the original and unrelated problem.

Over the weekend, security researcher Abdelhamid Naceri discovered a Windows Installer elevation-of-privilege vulnerability tracked as CVE-2021-41379 that Microsoft patched a couple of weeks ago as part of its November Patch Tuesday updates.

However, after examining the fix, Naceri found a bypass as well as an even more concerning zero-day privilege-elevation bug. The researcher posted a proof of concept (POC) exploit Tuesday on GitHub for the newly discovered bug that he said works on all currently-supported versions of Windows.

If exploited, the POC, called InstallerFileTakeOver, gives an actor administration privileges in Windows 10, Windows 11 and Windows Server when logged onto a Windows machine with Edge installed.

Peer Research Confirms Exploit and Active Attacks

Researchers at Cisco Talos Security Intelligence and Research Group as well as others confirmed the POC can be reproduced as well as corroborating evidence that threat actors were already exploiting the bug.

“This vulnerability affects every

Read More: