Talos Security Intelligence & Research Group has published a new report detailing its discovery of a zero-day exploit impacting all Windows versions, including newly updated Windows 11 machines. The team describes this exploit as an “elevation of privilege vulnerability” that impacts Windows Installer, also noting some malware is already in circulation that targets this particular vulnerability.
According to Cisco Talos, the zero-day exploit covers “every version” of Windows, including Windows Server 2022 and Windows 11 machines that have all of the security patches installed. The team points to the previously discovered CVE-2021-41379 elevation of privilege vulnerability, claiming that the fix included with its Windows monthly security update on November 9 failed to adequately address the exploit.
The vulnerability was first discovered by security researcher Abdelhamid Naceri who published a new proof of concept earlier this week (via GitHub) showing that Windows Installer can still be exploited despite the security patch. Talos explains that malicious actors can take advantage of the vulnerability to swap out any existing executable file with their own MSI to run their own code on the victim’s machine using elevated privileges.
That potentially makes this new vulnerability more severe than the one Microsoft attempted to patch earlier this month. The originally discovered issue was found to allow someone with a limited Windows account to gain administrator privileges so they could delete files on a PC; it did not, however, allow the intruder to modify or view any of the system’s existing files.
Talos warns that the published proof-of-concept code “will certainly drive additional abuse of this vulnerability.” The team didn’t elaborate upon the malware it found in the wild that target this exploit, only noting that they “are attempting to take advantage of this vulnerability.”
Unfortunately, Microsoft doesn’t yet have a security patch available to address the zero-day exploit. Assuming this vulnerability isn’t yet actively exploited, the security firm indicates it’ll likely be a short matter of time before it’s utilized by malicious actors. This, naturally, raises questions over why Naceri decided to publish the exploit code rather than alerting Microsoft and waiting for it to release a fix.
The folks at Bleeping Computer had the same question and got a statement from Naceri about it. According to the security researcher, Microsoft’s decreased bug bounty payouts were the catalyst for his decision to publish the discovery. Though Microsoft is aware of the issue, it doesn’t yet have a release date for the new bug fix. If the previous discovery is any indication, we’ll likely see the update arrive with the company’s next Patch Tuesday, which is the second Tuesday of every month.