{"id":4130,"date":"2021-11-29T13:05:29","date_gmt":"2021-11-29T13:05:29","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=4130"},"modified":"2026-06-08T22:53:05","modified_gmt":"2026-06-08T22:53:05","slug":"windows-installer-zero-day","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/windows-installer-zero-day\/","title":{"rendered":"Windows Installer Zero-Day"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">A new <strong>Windows Installer<\/strong> vulnerability has been identified enabling privilege escalation operations. The vulnerability appears to have been introduced following the release of another security patch by Microsoft addressing separate security concerns.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/11\/image-24.png\" alt=\"\" class=\"wp-image-4140\" width=\"598\" height=\"711\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-24.png 643w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-24-252x300.png 252w\" sizes=\"(max-width: 598px) 100vw, 598px\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">The preceding <strong>Windows Installer<\/strong> vulnerability (<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-41379\">CVE-2021-41379<\/a>) was patched by Microsoft several weeks prior as part of November Patch Tuesday updates.<br>However, upon examination of the remediation, researchers identified a bypass and a zero-day privilege escalation flaw of heightened concern. <br>In recent days, a <strong>POC<\/strong> (proof of concept) exploit designated <a href=\"https:\/\/github.com\/klinix5\/InstallerFileTakeOver\">InstallerFileTakeOver<\/a> was published for the vulnerability affecting all Windows versions. If exploited, the vulnerability would permit an attacker to obtain administrator privileges on <strong>Windows 10<\/strong>, <strong>Windows 11<\/strong>, and <strong>Windows Server<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Researchers have already identified malware samples exploiting this vulnerability. Several have confirmed on Twitter that the POC functions and delivers local privilege escalation even on Windows 10 20H2 and Windows 11 systems with the latest security patch installed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Although Group Policy by default prevents standard users from executing MSI operations, the administrative installation functionality appears to bypass Group Policy entirely.<br>The code released in the POC exploits the <strong>discretionary access control list (DACL)<\/strong> for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, enabling a malicious user to execute code with administrator privileges. This technique aligns with T1548.004 (Abuse Elevation Control Mechanism: Elevated Execution with Prompt) and T1547.014 (Boot or Logon Autostart Execution: Active Setup) attack patterns. Organizations requiring <a href=\"https:\/\/fortgale.com\/en\/cybersecurity-advisory\/\">Cybersecurity Advisory<\/a> support should prioritize detection of such exploitation attempts.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Due to the complexity of this vulnerability, any attempt to patch the binary would render Windows Installer non-functional. The optimal mitigation currently available is to await Microsoft&#8217;s security patch release and monitor Windows systems for identification of such attack attempts.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Zero-day vulnerability in Windows Installer enabling local privilege escalation: exploitation techniques, public PoC analysis and mitigation paths.<\/p>\n","protected":false},"author":7,"featured_media":4140,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1491,3231,1573,274,3229,3230],"class_list":["post-4130","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-cve-it","tag-local-exploitation","tag-privilege-escalation-it","tag-privilege-escalation","tag-windows-installer","tag-zero-day"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4130","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=4130"}],"version-history":[{"count":11,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4130\/revisions"}],"predecessor-version":[{"id":9880,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4130\/revisions\/9880"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/4140"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=4130"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=4130"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=4130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}