Malware creators have already started testing a proof-of-concept exploit targeting a new Microsoft Windows Installer zero-day publicly disclosed by security researcher Abdelhamid Naceri over the weekend.
“Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability,” said Jaeson Schultz, Technical Leader for Cisco’s Talos Security Intelligence & Research Group.
However, as Cisco Talos’ Head of Outreach Nick Biasini told BleepingComputer, these exploitation attempts are part of low volume attacks likely focused on testing and tweaking exploits for full-blown campaigns.
“During our investigation, we looked at recent malware samples and were able to identify several that were already attempting to leverage the exploit,” Biasini told BleepingComputer.
“Since the volume is low, this is likely people working with the proof of concept code or testing for future campaigns. This is just more evidence on how quickly adversaries work to weaponize a publicly available exploit.”
Zero-day bypasses Windows Installer patch
The vulnerability in question is a local privilege elevation bug found as a bypass to a patch Microsoft released during November 2021’s Patch Tuesday to address a flaw tracked as CVE-2021-41379.
On Sunday, Naceri published a working proof-of-concept exploit for this new zero-day, saying it works on all supported versions of Windows.
If successfully exploited, this bypass gives attackers SYSTEM privileges on up-to-date devices running the latest Windows releases, including Windows 10, Windows 11, and Windows Server 2022.
SYSTEM privileges are the highest user rights available to a Windows user and make it possible to perform any operating system command.
By exploiting this zero-day, attackers with limited access to compromised systems can easily elevate their privileges to help spread laterally within a victim’s network.
BleepingComputer has tested Naceri’s exploit and used it to successfully open a command prompt with SYSTEM permissions from an account with low-level ‘Standard’ privileges.
“The best workaround available at the time of writing this is to wait Microsoft to release a security patch, due to the complexity of this vulnerability,” explained Naceri.
“Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again.”
“We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim’s machine,” a Microsoft spokesperson told BleepingComputer when asked for more details regarding this vulnerability.