Windows Installer Zero-Day

November 29, 2021 · u145 · 2 min read

A new Windows Installer vulnerability has been identified enabling privilege escalation operations. The vulnerability appears to have been introduced following the release of another security patch by Microsoft addressing separate security concerns.

The preceding Windows Installer vulnerability (CVE-2021-41379) was patched by Microsoft several weeks prior as part of November Patch Tuesday updates.
However, upon examination of the remediation, researchers identified a bypass and a zero-day privilege escalation flaw of heightened concern.
In recent days, a POC (proof of concept) exploit designated InstallerFileTakeOver was published for the vulnerability affecting all Windows versions. If exploited, the vulnerability would permit an attacker to obtain administrator privileges on Windows 10, Windows 11, and Windows Server.

Researchers have already identified malware samples exploiting this vulnerability. Several have confirmed on Twitter that the POC functions and delivers local privilege escalation even on Windows 10 20H2 and Windows 11 systems with the latest security patch installed.

Although Group Policy by default prevents standard users from executing MSI operations, the administrative installation functionality appears to bypass Group Policy entirely.
The code released in the POC exploits the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, enabling a malicious user to execute code with administrator privileges. This technique aligns with T1548.004 (Abuse Elevation Control Mechanism: Elevated Execution with Prompt) and T1547.014 (Boot or Logon Autostart Execution: Active Setup) attack patterns. Organizations requiring Cybersecurity Advisory support should prioritize detection of such exploitation attempts.

Due to the complexity of this vulnerability, any attempt to patch the binary would render Windows Installer non-functional. The optimal mitigation currently available is to await Microsoft’s security patch release and monitor Windows systems for identification of such attack attempts.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie & Privacy