Attackers are actively making efforts to use a brand new variant of a just lately disclosed privilege escalation vulnerability to doubtlessly execute arbitrary code on fully-patched techniques, as soon as once more demonstrating how adversaries transfer shortly to weaponize a publicly accessible exploit.
Cisco Talos disclosed that it “detected malware samples within the wild which might be trying to benefit from this vulnerability.”
Tracked as CVE-2021-41379 and found by safety researcher Abdelhamid Naceri, the elevation of privilege flaw affecting the Home windows Installer software program element was initially resolved as a part of Microsoft’s Patch Tuesday updates for November 2021.
Nevertheless, in what’s a case of an inadequate patch, Naceri discovered that it was not solely doable to bypass the repair carried out by Microsoft but additionally obtain native privilege escalation by way of a newly found zero-day bug.
The proof-of-concept (PoC) exploit, dubbed “InstallerFileTakeOver,” works by overwriting the discretionary entry management checklist (DACL) for Microsoft Edge Elevation Service to interchange any executable file on the system with an MSI installer file, permitting an attacker to run code with SYSTEM privileges.
An attacker with admin privileges might then abuse the entry to realize full management over the compromised system, together with the power to obtain extra software program, and modify, delete, or exfiltrate delicate data saved within the machine.
“Can verify this works, native priv esc. Examined on Home windows 10 20H2 and Home windows 11. The prior patch MS issued did not repair the problem correctly,” tweeted safety researcher Kevin Beaumont, corroborating the findings.
Naceri famous that the newest variant of CVE-2021-41379 is “extra highly effective than the unique one,” and that the very best plan of action could be to attend for Microsoft to launch a safety patch for the issue “because of the complexity of this vulnerability.”
It is not precisely clear when Microsoft will act on the general public disclosure and launch a repair. We’ve reached out to the corporate for remark, and we’ll replace the story if we hear again.